@griffin yes, I copied and pasted from your post.
1 Like
@griffin By the way, that php script that existed during the migration is part of my failed forms. All the forms use it and none work since the move.
Edit: Arvixe finally got back to me giving me access to my messages on their mail server. The mail php is working and the email is being sent, so that part of my forms is working. If I change the group/user to blank like the certsage.php, it doesn't look like I can change it back.
Why/how would you change the group/user to blank?
4 Likes
I'm still thinking that if you set the directory permissions correctly, things should work. You might need to give full permissions (read, write, execute/list) to all users (owner, group, and others). You should still be protected by your hosting boundaries, so the risk should be minimal/none.
4 Likes
@griffin I'm asking this same question on the Plesk forum. It doesn't look like they resolve a lot of issues there.
I would want to set my migrated php file to blank to see if that's the reason why my new php file is failing. The migrated php file works and the only difference I can see is the Group/Name isn't blank. (It's also located in my CGI-bin but I wouldn't think that would make a difference.)
I'm wondering if Arvixe turned off php files. Based on some of the threads I saw, it looks like the host has that option.
Yeah, blank would be bad. It would mean the file has no functional owner. Setting full permissions for all users for the entire directory tree (from the root) should overcome this situation though. As long as you're the only one using the account, you should be fine.
5 Likes
@griffin I've given full permissions at wwwrooot. It had full permissions before I found I could set the permissions on the php file. Something I don't understand, in Plesk I'm in a contained environment logged on as the owner of the site. In my browser, where I'm executing certsage.php, I'm an anonymous user. I don't understand how giving all of the permissions works outside of my Plesk login.
While in Plesk granting permissions to wwwroot, the Group/User is blank. When I go into the Advanced settings. My users are only my ftp users, there are not others so I can't give permission to myself outside of Plesk.
@griffin So I had another thought, I opened my website in preview, it looks like I'm still in the Plesk bubble and ran the certsage.php script. I still bombed on line 35 that it can't make the directory. It doesn't look like my login has anything to do with anything.
? PHP usually runs as the wwwdata user. The visitor isn't the one running the PHP script.
4 Likes
@griffin I'm confused. I thought I put certsage.php in my wwwroot subdirectory and then go out to my browser and execute it there, mydomain.com/certsage.php . If that's not how it's executed then where/how do I execute it?
That is how CertSage is run (from your browser in wwwroot). It's just that the script doesn't run from an administrative perspective as "some random user". It runs under a "system-oriented" username (or your own username, supposedly, if you're using CGI). This results in the PHP script being able to do things that the visitor themself cannot do directly, for security/functionality purposes.
5 Likes
@griffin now, I'm more confused! How do I distinguish myself from my visitors? There's nothing for me to log in to. I'm on my browser, I enter my domain name, I add certsage.php and press enter.
I tried bringing up my website and executing the php on a PC and it won't bring it up, just sends me to Plesk. When I login to Plesk, I'm at the control panel level.
How do I get and use a system-oriented username for my website? Hopefully, without involving Arvixe. I now have 5 unanswered support tickets!
Sorry if some of this is confusing. With breathing tech on a daily basis, I sometimes tend to forget that not everyone does. I'll try to clarify. When someone visits your site with their browser, they are actually making an HTTP request for a resource (e.g. a PHP file). The server receiving that request decides how to handle that request based on how it's configured. In the case of a .php file, the server runs a PHP interpreter that processes the file. This is how a PHP script "gets run". That interpreter, just like a human user, has limits placed upon it to prevent insecure/vulnerable PHP code from having access/rights that it shouldn't. Technically speaking, human users typically have "user accounts" to which access/rights are assigned whereas "machine users" (apps/software/programs/interpreters/AIs) have "service principals" to which access/rights are assigned. Same concept, essentially, just a different term. On certain occasions, based upon how the system (e.g. Plesk) is configured, the PHP interpreter can inherit the rights of the user owning the account. This can simplify configuration changes by making it unnecessary to maintain two sets of permissions.
5 Likes
@griffin thanks for the explanation but I'm still not seeing a solution. I'm assuming I'm not able to execute certsage.php because I don't log into my website in a browser. (My website is informational, written in VB using ASP, I only have one php file and it's used by the forms.) So since I can't login, I have no credentials and that's why certsage.php isn't able to create the directory and files it needs.
I looked within Plesk and I didn't see any kind of terminal or execute area. I think I'm going to be paying for an SSL which is ok because I don't have to pay for domain renewal or private registration and I have unlimited mailboxes and aliases (all very important to me).
1 Like
Your ability to login to your website has absolutely nothing to do with what is happening. This is purely a file system permission problem for whatever OS user account is running the PHP scripts in the background.
4 Likes
I think that it doesn't matter who connects to http://your.site/certsage.php
[that is merely a trigger for the system]
The .php interpreter would read that file and take the exact same action(s).
6 Likes
Since you're using IIS as your webserver, you might run into trouble acquiring ACME-issued (e.g. Let's Encrypt) certificates on top of the permission troubles, so a paid solution might be advisable regardless.
5 Likes
@griffin I had a thought, to secure the folder forcing a login to my site so I could use my permissions. I tried securing home directory, brentwoodestateshoa.com, and wwwroot, none of them asked me to log into the site. At what point does the request to view a website execute?
What part of "logging into your site has absolutely nothing to do with the problem" was confusing? 
I appreciate that you're trying things, but this is absolutely a false start. 
5 Likes