suexec + file upload == permission denied for non php/cgi scripts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ok, so I have suexec working on my server and it's successfully serving pages as user's. The problem is that whenever a user uploads a file via a php or cgi script, the file gets 700 permissions (WHICH IS WHAT I WANT), but when the webserver goes to serve that file, it does NOT change to the suexec user if the file is not a "script" file. Lets say the user uploads a .jpg file. The file is uploaded perfectly. The user can "load" the file using php just fine etc, but if the user tries to "view" the image with a web browser then the server rejects it because it's attempting to use the default apache user to view the uploaded file. How do I get apache to totally run as a specified user? Heres how to reproduce:

1.  Get suexec working and setup this virtual host
####photos.com
<VirtualHost 111.111.111.111:80>
      ServerName photos.com
      ServerAlias photos.com
      DocumentRoot /home/photos/public_html
      CustomLog /home/photos/access.log combined
      ErrorLog /home/photos/error.log
      SuexecUserGroup photos photos
#php-current is simply a name I gave php 5.2.14 that I compiled. I use different versions of php for different clients, using a standard name allows me to hardlink different versions easily.
      ScriptAlias /php5 "/home/photos/php/php-current"
</VirtualHost>

2.  create a file upload script using php script
3.  upload a jpg file (or any file other than php for that matter)
4. check permissions of file which should always result in 600 that is owned by the correct user
[root@webserver public_html]# ls -l 4.jpg
-rw------- 1 photos photos 101984 2010-11-23 13:14 4.jpg*
5.  view file from web browser

Expected result would be that the browser displays the image. But the actual result is error(13) which is a permission denied because the webserver is actually trying to view the file using the default apache user/group which for me is set to apache/apache. To prove this, if I chown the 4.jpg file to apache.apache, I can then view the file. How do I fix this without setting a huge gaping security hole in the site by setting 655 (which would be needed to view the file via chmod). If I change the owner to apache, then the php process could no longer "delete" the file because then it's no longer the owner of that file. Thus the only solution is to chmod it to 655 so that apache can read it (along with ALL subdirs above the file) which is probably the biggest security hole on the planet. There has to be a common solution to this huge security issue.

Why is suexec only running php/cgi scripts as the user and not other files as it should be?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux