suexec + file upload == permission denied for non php/cgi scripts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: suexec + file upload == permission denied for non php/cgi scripts
From: Lowlight <lowlight1974@xxxxxxxxx>
Date: Tue, 23 Nov 2010 16:03:43 -0500
Reply-to: users@xxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6

Ok, so I have suexec working on my server and it's successfully servingpages as user's. The problem is that whenever a user uploads a file viaa php or cgi script, the file gets 700 permissions (WHICH IS WHAT IWANT), but when the webserver goes to serve that file, it does NOTchange to the suexec user if the file is not a "script" file. Lets saythe user uploads a .jpg file. The file is uploaded perfectly. The usercan "load" the file using php just fine etc, but if the user tries to"view" the image with a web browser then the server rejects it becauseit's attempting to use the default apache user to view the uploadedfile. How do I get apache to totally run as a specified user? Hereshow to reproduce:


1.  Get suexec working and setup this virtual host
####photos.com
<VirtualHost 111.111.111.111:80>
      ServerName photos.com
      ServerAlias photos.com
      DocumentRoot /home/photos/public_html
      CustomLog /home/photos/access.log combined
      ErrorLog /home/photos/error.log
      SuexecUserGroup photos photos

#php-current is simply a name I gave php 5.2.14 that I compiled.I use different versions of php for different clients, using a standardname allows me to hardlink different versions easily.

      ScriptAlias /php5 "/home/photos/php/php-current"
</VirtualHost>

2.  create a file upload script using php script
3.  upload a jpg file (or any file other than php for that matter)

4. check permissions of file which should always result in 600 that isowned by the correct user

[root@webserver public_html]# ls -l 4.jpg
-rw------- 1 photos photos 101984 2010-11-23 13:14 4.jpg*
5.  view file from web browser

Expected result would be that the browser displays the image. But theactual result is error(13) which is a permission denied because thewebserver is actually trying to view the file using the default apacheuser/group which for me is set to apache/apache. To prove this, if Ichown the 4.jpg file to apache.apache, I can then view the file. Howdo I fix this without setting a huge gaping security hole in the site bysetting 655 (which would be needed to view the file via chmod). If Ichange the owner to apache, then the php process could no longer"delete" the file because then it's no longer the owner of that file.Thus the only solution is to chmod it to 655 so that apache can read it(along with ALL subdirs above the file) which is probably the biggestsecurity hole on the planet. There has to be a common solution to thishuge security issue.

Why is suexec only running php/cgi scripts as the user and not otherfiles as it should be?


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

Prev by Date: Re: Mod-jk worker not being called after calling handler
Next by Date: [mod_ssl] SSLCipherSuite ignored?
Previous by thread: AcceptMutex directive
Next by thread: Re: suexec + file upload == permission denied for non php/cgi scripts
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]