Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Under Catalina MacOS 10.15 PHP under Apache has restricted access to some files via file links possibly by privacy changes

PROBLEM

After upgrading to MacOS 10.15 Catalina PHP is having problems reading some links, and not others, runing PHP (As Apache's user "www"). The problem appears to be possibly changes to the OS privacy/security configuration, which we know has changed, rather than directory execution permisson / FollowSymLink permissions.

DETAILS

$ ls -alt /Users/[MYUSER]/Sites/*info.php
lrwxr-xr-x  1 [MYUSER]  staff   8 Oct 10 11:16 /Users/[MYUSER]/Sites/linfo.php -> info.php
-rwxr-xr-x  1 [MYUSER]  staff  25 Oct 30  2014 /Users/[MYUSER]/Sites/info.php

In the above both pages info.php and linfo.php function correctly which I think shows the FollowSymLinks working.

$ ls -alt /Users/[MYUSER]/Sites/*index.php
lrwxr-xr-x  1 [MYUSER]  staff  78 Dec 30  2014 /Users/[MYUSER]/Sites/index.php -> /Users/[MYUSER]/Documents/[ADIR]/Development/GitHub/cms/sitesIndex.php
$ ls -alt /Users/[MYUSER]/Sites/sitesIndex.php
-rwxr-xr-x  1 [MYUSER]  staff  20847 Oct  8 13:11 sitesIndex.php

Of the above pages index.php, a link fails where as a copy of the linked file sitesIndex.php succeeds.

BACKGROUND

Though I don't believe it is related (Because an inability to followSymLinks has a different error message), the folling is the FollowSymLinks setting.

<Directory "/Users/*/Sites/">
    Options Indexes MultiViews FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

$ cat $HOME/Sites/.htaccess
Options +FollowSymLinks

The web server runs as the user "www".

Apache is being initiated as root, though the worker threads run as _www as expected.

_www             65500   0.0  0.0  4317396   1288   ??  S     9:56AM   0:00.02 /usr/sbin/httpd -D FOREGROUND
_www             28574   0.0  0.0  4317440   2256   ??  S    12:16PM   0:00.03 /usr/sbin/httpd -D FOREGROUND
_www             28546   0.0  0.0  4317520   2612   ??  S    12:15PM   0:00.06 /usr/sbin/httpd -D FOREGROUND
root             28529   0.0  0.0  4317548   1284   ??  Ss   12:15PM   0:04.56 /usr/sbin/httpd -D FOREGROUND

All of these files within $HOME/Sites are under iCloud and we are told in the release notes that there are new additional privacy restrictiions introduced in 10.15 for iCloud directories, but it isn't clear to me what these restrictions are, or if the restrictions are documented.

ERRORS

In the server response page PHP produces the following errors:

Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0

Fatal error: Unknown: Failed opening required '/Users/owenbrunette/Sites/index.php' (include_path='.:') in Unknown on line 0

And in the error.log:

[Tue Oct 08 21:49:11.855033 2019] [php7:warn] [pid 83605] [client ::1:64968] PHP Warning:  Unknown: failed to open stream: Operation not permitted in Unknown on line 0, referer: http://localhost/
[Tue Oct 08 21:49:11.855078 2019] [php7:error] [pid 83605] [client ::1:64968] PHP Fatal error:  Unknown: Failed opening required '/Users/[MYUSER]/Sites/index.php' (include_path='.:') in Unknown on line 0, referer: http://localhost/

I have done a lot of file checking. The UNIX read and execute flags for other are set for all the directories leading to the files.

ATTEMPTS AT A SOLUTION

The error of "operation not permitted" is an error string associated with System Integrety Protection" under MacOS, and not Apache SymLink following, though the pharese "operation not permitted", may well not be unique. The error is coming from PHP not Apache..

I have allowed full disk access in: System Preferences / Security & Privacy / Privacy / Full Disk Access.

I have not tried completely disabling SIP (System Integrity Protection) at the OS level, as that is far from an ideal solution.

like image 331
ClearCrescendo Avatar asked Oct 10 '19 16:10

ClearCrescendo


People also ask

How do I give a full disk access to Catalina on Mac?

Enable Full Disk AccessOpen System Preferences ▸ Security & Privacy. Select the Privacy tab. Select Full Disk Access, then click the lock icon.

Is Apache included with macOS?

macOS comes with built-in versions of Apache and PHP, and we could easily use those. However, there are a few drawbacks with this approach.


1 Answers

Catalina has more restrictive permissions. The fix is easy: enable full disk access for http. To do this:

System Preferences => Security & Privacy => Full Disk Access

Navigate to the root folder of the disk and press Cmd+Shift+. (to view all the folders under root) and then go to

/usr/sbin/

select "httpd" and restart it (apachectl -k restart).

That should do the trick.

like image 81
Michael Hawley Avatar answered Sep 24 '22 14:09

Michael Hawley