----- "Lowlight" <lowlight1974@xxxxxxxxx> wrote: > Ok, so I have suexec working on my server and it's successfully > serving > pages as user's. The problem is that whenever a user uploads a file > via > a php or cgi script, the file gets 700 permissions (WHICH IS WHAT I > WANT), but when the webserver goes to serve that file, it does NOT > change to the suexec user if the file is not a "script" file. Lets > say > the user uploads a .jpg file. The file is uploaded perfectly. The > user > can "load" the file using php just fine etc, but if the user tries to > "view" the image with a web browser then the server rejects it because > it's attempting to use the default apache user to view the uploaded > file. How do I get apache to totally run as a specified user? Heres > > how to reproduce: > > 1. Get suexec working and setup this virtual host > ####photos.com > <VirtualHost 111.111.111.111:80> > ServerName photos.com > ServerAlias photos.com > DocumentRoot /home/photos/public_html > CustomLog /home/photos/access.log combined > ErrorLog /home/photos/error.log > SuexecUserGroup photos photos > #php-current is simply a name I gave php 5.2.14 that I > compiled. > I use different versions of php for different clients, using a > standard > name allows me to hardlink different versions easily. > ScriptAlias /php5 "/home/photos/php/php-current" > </VirtualHost> > > 2. create a file upload script using php script > 3. upload a jpg file (or any file other than php for that matter) > 4. check permissions of file which should always result in 600 that > is > owned by the correct user > [root@webserver public_html]# ls -l 4.jpg > -rw------- 1 photos photos 101984 2010-11-23 13:14 4.jpg* > 5. view file from web browser > > Expected result would be that the browser displays the image. But the No, given what you describe, this actually *is* the expected result: > actual result is error(13) which is a permission denied because the > webserver is actually trying to view the file using the default apache > user/group which for me is set to apache/apache. To prove this, if I > chown the 4.jpg file to apache.apache, I can then view the file. How > do I fix this without setting a huge gaping security hole in the site > by > setting 655 (which would be needed to view the file via chmod). If I > change the owner to apache, then the php process could no longer > "delete" the file because then it's no longer the owner of that file. > > Thus the only solution is to chmod it to 655 so that apache can read > it I know it sounds crazy, but have you considered doing a chmod to the apache user? And to have a umask of 027? That would give you a permission model of: -rw-r----- 1 photos apache 101984 2010-11-23 13:14 4.jpg allowing that apache user to see, read and serve your file. > (along with ALL subdirs above the file) which is probably the biggest > > security hole on the planet. There has to be a common solution to > this > huge security issue. You're over exaggerating a bit here ;) > Why is suexec only running php/cgi scripts as the user and not other > files as it should be? No, it's not what you tell it to do. You tell it to only execute scripts as a particular user, nothing more. SuEXEC listens to things defined by ScriptAlias or Options +ExecCGI, it will not execute any or every file. -- Igor GaliÄ Tel: +43 (0) 664 886 22 883 Mail: i.galic@xxxxxxxxxxxxxx URL: http://brainsware.org/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|