Reputation: 2479
Laravel chmod(/var/dev/project/storage/oauth-public.key): Operation failed: Operation not permitted
After I updated the following packages I got an error that the oauth-public.key file couldn't be found.
Package operations: 1 install, 2 updates, 0 removals
Updating laravel/framework (v5.4.27 => v5.4.28): Downloading (100%)
Installing defuse/php-encryption (v2.1.0): Downloading (100%)
Updating league/oauth2-server (5.1.3 => 5.1.4): Downloading (100%)
Firstly I deleted the two oauth- files in project/storage and then executed this command: php artisan passport:install to generate new oauth- files.
Now I get the following error when trying to access an api route.
(1/1) ErrorException chmod(/var/dev/project/storage/oauth-public.key): Operation failed: Operation not permitted
Stack trace
in CryptKey.php (line 51)
at HandleExceptions->handleError(2, 'chmod(/var/dev/project/storage/oauth-public.key): Operation failed: Operation not permitted', '/var/dev/project/vendor/league/oauth2-server/src/CryptKey.php', 51, array('keyPath' => 'file:///var/dev/project/storage/oauth-public.key', 'passPhrase' => null, 'keyPathPerms' => '644'))
at chmod('file:///var/dev/project/storage/oauth-public.key', 384) in CryptKey.php (line 51)
at CryptKey->__construct('file:///var/dev/project/storage/oauth-public.key') in ResourceServer.php (line 50)
File permissions
-rw-r--r-- user:user oauth-private.key
-rw-r--r-- user:user oauth-public.key
Update 1
I found out that oauth Libaray introduced a security fix. Oauth V5 Security Improvements
Version 5.1.4 is a backwards compatbile with other 5.1.x releases.
You will notice in your server logs a message like this:
You must set the encryption key going forward to improve the security of this library - see this page for more information https://oauth2.thephpleague.com/v5-security-improvements/
To supress this notice once you have instantiated an instance of \League\OAuth2\Server\AuthorizationServer you should call the setEncryptionKey() method passing in at least 32 bytes of random data.
You can generate this using base64_encode(random_bytes(32)). Alternatively if you’re using a framework such as Laravel which has a encryption key already generated you can pass in that (in the case of Laravel use env('APP_KEY')).
Problem is that the maintainer of Laravel Passport has to fix this.
Update 2
After I removed the vendor folder and executed composer install again I get still the same error.
Upvotes: 18
Views: 11164
Answers (7)
Reputation: 371
Try:
sudo chown www-data:www-data storage/oauth-*.key
sudo chmod 600 storage/oauth-*.key
It solves my problem.
Upvotes: 27
Reputation: 549
It depends on your Laravel and Passport Version too. if using latest Laravel 5.4 it uses Passport 3.0 which has the patch for Oauth package.
If you are using larvel 5.3 it uses Passport 1.0 ( you should upgrade !!) [no patch ] but this uses the stable version of league/OAuth-server which is at the time ( 5.1.4 ) which has the check file.
The solution for this: you need to force install 5.1.3 version (Not ideal) but would fix the issue.
run in the project root.
composer require league/oauth2-server 5.1.3
Upvotes: 0
Reputation: 555
According to the latest oauth-server 5.1.4 update, you should set an encryption key which is not implemented yet in passport 2.x.
An easy and fast fix to this is by using passport 3.x which uses oauth-server 6.x by updating your composer.json file with:
"laravel/passport": "^3.0"
Then
composer update
Upvotes: 12
Reputation: 51
It would not be safe to change the owner of oauth-private.key to www-data:www-data. Only the oauth-public.key should be owned by www-data:www-data.
This should be sufficient:
sudo chown www-data:www-data oauth-public.key
sudo chmod 600 oauth-public.key
Once done, check your permissions by running this in the storage folder:
ls -la
Owner of oauth-private.key should NOT be www-data:www-data.
Owner of oauth-public.key should be www-data:www-data
Upvotes: 5
Reputation: 51
Finally! I found the solution. ( CentOs )
chown apache:apache oauth-public.key
chown apache:apache oauth-private.key
At first you need to find the username of your server: This will return the username you need
ps aux | grep -E '[a]pache|[h]ttpd|[_]www|[w]ww-data|[n]ginx' | grep -v root | head -1 | cut -d\ -f1
For me it's apache
Upvotes: 5
Reputation: 131
Same issue here, i've temporarily rolled back to an earlier version of my composer.lock file. It looks like the OAuth package is trying to modify the permissions of the keys within the storage folder and my server is not having it.
Im going to take a look at the packages change log and see whats changed and perhaps rerun the updates after hours.
Upvotes: 0
Related Questions
- Laravel Passport Password Grant - Client authentication failed
- oauth-private.key does not exist or is not readable
- Laravel Passport Key path oauth-public.key does not exist or is not readable
- "message": "Key path \"file:///app/storage/oauth-private.key\" does not exist or is not readable" in Laravel 6
- Laravel 5.3 Password Grant Tokens [user credentials incorrect]
- laravel passport giving Unauthenticated error
- Laravel Passport Authorization failed
- Laravel 5.3 OAuth2 NotFoundHttpException
- Laravel passport oauth/authorize error
- Permission denied issue in Laravel 5.1