PROBLEM
After upgrading to MacOS 10.15 Catalina PHP is having problems reading some links, and not others, runing PHP (As Apache's user "www"). The problem appears to be possibly changes to the OS privacy/security configuration, which we know has changed, rather than directory execution permisson / FollowSymLink permissions.
DETAILS
$ ls -alt /Users/[MYUSER]/Sites/*info.php
lrwxr-xr-x 1 [MYUSER] staff 8 Oct 10 11:16 /Users/[MYUSER]/Sites/linfo.php -> info.php
-rwxr-xr-x 1 [MYUSER] staff 25 Oct 30 2014 /Users/[MYUSER]/Sites/info.php
In the above both pages info.php and linfo.php function correctly which I think shows the FollowSymLinks working.
$ ls -alt /Users/[MYUSER]/Sites/*index.php
lrwxr-xr-x 1 [MYUSER] staff 78 Dec 30 2014 /Users/[MYUSER]/Sites/index.php -> /Users/[MYUSER]/Documents/[ADIR]/Development/GitHub/cms/sitesIndex.php
$ ls -alt /Users/[MYUSER]/Sites/sitesIndex.php
-rwxr-xr-x 1 [MYUSER] staff 20847 Oct 8 13:11 sitesIndex.php
Of the above pages index.php, a link fails where as a copy of the linked file sitesIndex.php succeeds.
BACKGROUND
Though I don't believe it is related (Because an inability to followSymLinks has a different error message), the folling is the FollowSymLinks setting.
<Directory "/Users/*/Sites/">
Options Indexes MultiViews FollowSymLinks
AllowOverride All
Require all granted
</Directory>
$ cat $HOME/Sites/.htaccess
Options +FollowSymLinks
The web server runs as the user "www".
Apache is being initiated as root, though the worker threads run as _www as expected.
_www 65500 0.0 0.0 4317396 1288 ?? S 9:56AM 0:00.02 /usr/sbin/httpd -D FOREGROUND
_www 28574 0.0 0.0 4317440 2256 ?? S 12:16PM 0:00.03 /usr/sbin/httpd -D FOREGROUND
_www 28546 0.0 0.0 4317520 2612 ?? S 12:15PM 0:00.06 /usr/sbin/httpd -D FOREGROUND
root 28529 0.0 0.0 4317548 1284 ?? Ss 12:15PM 0:04.56 /usr/sbin/httpd -D FOREGROUND
All of these files within $HOME/Sites are under iCloud and we are told in the release notes that there are new additional privacy restrictiions introduced in 10.15 for iCloud directories, but it isn't clear to me what these restrictions are, or if the restrictions are documented.
ERRORS
In the server response page PHP produces the following errors:
Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0
Fatal error: Unknown: Failed opening required '/Users/owenbrunette/Sites/index.php' (include_path='.:') in Unknown on line 0
And in the error.log:
[Tue Oct 08 21:49:11.855033 2019] [php7:warn] [pid 83605] [client ::1:64968] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0, referer: http://localhost/
[Tue Oct 08 21:49:11.855078 2019] [php7:error] [pid 83605] [client ::1:64968] PHP Fatal error: Unknown: Failed opening required '/Users/[MYUSER]/Sites/index.php' (include_path='.:') in Unknown on line 0, referer: http://localhost/
I have done a lot of file checking. The UNIX read and execute flags for other are set for all the directories leading to the files.
ATTEMPTS AT A SOLUTION
The error of "operation not permitted" is an error string associated with System Integrety Protection" under MacOS, and not Apache SymLink following, though the pharese "operation not permitted", may well not be unique. The error is coming from PHP not Apache..
I have allowed full disk access in: System Preferences / Security & Privacy / Privacy / Full Disk Access.
I have not tried completely disabling SIP (System Integrity Protection) at the OS level, as that is far from an ideal solution.
Enable Full Disk AccessOpen System Preferences ▸ Security & Privacy. Select the Privacy tab. Select Full Disk Access, then click the lock icon.
macOS comes with built-in versions of Apache and PHP, and we could easily use those. However, there are a few drawbacks with this approach.
Catalina has more restrictive permissions. The fix is easy: enable full disk access for http. To do this:
System Preferences => Security & Privacy => Full Disk Access
Navigate to the root folder of the disk and press Cmd+Shift+. (to view all the folders under root) and then go to
/usr/sbin/
select "httpd" and restart it (apachectl -k restart).
That should do the trick.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With