You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Lowlight <lo...@gmail.com> on 2010/11/23 22:03:43 UTC
[users@httpd] suexec + file upload == permission denied for non php/cgi scripts
Ok, so I have suexec working on my server and it's successfully serving
pages as user's. The problem is that whenever a user uploads a file via
a php or cgi script, the file gets 700 permissions (WHICH IS WHAT I
WANT), but when the webserver goes to serve that file, it does NOT
change to the suexec user if the file is not a "script" file. Lets say
the user uploads a .jpg file. The file is uploaded perfectly. The user
can "load" the file using php just fine etc, but if the user tries to
"view" the image with a web browser then the server rejects it because
it's attempting to use the default apache user to view the uploaded
file. How do I get apache to totally run as a specified user? Heres
how to reproduce:
1. Get suexec working and setup this virtual host
####photos.com
<VirtualHost 111.111.111.111:80>
ServerName photos.com
ServerAlias photos.com
DocumentRoot /home/photos/public_html
CustomLog /home/photos/access.log combined
ErrorLog /home/photos/error.log
SuexecUserGroup photos photos
#php-current is simply a name I gave php 5.2.14 that I compiled.
I use different versions of php for different clients, using a standard
name allows me to hardlink different versions easily.
ScriptAlias /php5 "/home/photos/php/php-current"
</VirtualHost>
2. create a file upload script using php script
3. upload a jpg file (or any file other than php for that matter)
4. check permissions of file which should always result in 600 that is
owned by the correct user
[root@webserver public_html]# ls -l 4.jpg
-rw------- 1 photos photos 101984 2010-11-23 13:14 4.jpg*
5. view file from web browser
Expected result would be that the browser displays the image. But the
actual result is error(13) which is a permission denied because the
webserver is actually trying to view the file using the default apache
user/group which for me is set to apache/apache. To prove this, if I
chown the 4.jpg file to apache.apache, I can then view the file. How
do I fix this without setting a huge gaping security hole in the site by
setting 655 (which would be needed to view the file via chmod). If I
change the owner to apache, then the php process could no longer
"delete" the file because then it's no longer the owner of that file.
Thus the only solution is to chmod it to 655 so that apache can read it
(along with ALL subdirs above the file) which is probably the biggest
security hole on the planet. There has to be a common solution to this
huge security issue.
Why is suexec only running php/cgi scripts as the user and not other
files as it should be?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org