BlueNoteWeb
Verified User
On the site that I'm currently building, I have to upload files using a CGI script and then manipulate them with a PHP script. That was a great source of frustration to me for several days. I've finally found the solution to the permissions problem, but I'm a bit worried about the security aspect and about how to properly configure DA to work with this. Any advice would be greatly appreciated. The flow goes something like this:
-PHP script creates a form, user fills in the form, including a file to be uploaded. Form submits to a CGI script.
-CGI script accepts the form information, saves the files to /tmp/, passes all information about the saved files to a second PHP script
-that PHP script verifies that the files are actually what they say they are (images and/or MP3s), deleting them if they are invalid/corrupted/script kiddies. PHP script then copies them to the proper locations in the user's home directory and updates the database appropriately
The problem was that the CGI created the files owned by the user, but PHP was running as Apache and could not do anything with those files in the tmp directory. I solved this by adding these lines to that user's httpd.conf:
User apache
Group apache
Now the CGI script runs as apache rather than that user. The PHP script can then access and modify the created files.
The biggest question for the DA community, how do I keep those lines in that user's httpd.conf? I tried inserting them through the DA admin interface, but the DA interface added a second set of user and group lines with that user's username. The second set apparently overrode the first set because it did not work. If that httpd.conf file is overwritten the site will break.
This server will have several different sites on it, but they're all owned by the same guy. It's not a shared hosting environment so I'm not worried about other users being able to access those tmp files. Are there other security concerns involved with running CGI scripts as the apache user? Is it possible to run only certain CGI scripts as the apache user, perhaps? Am I going about this all the wrong way? I do have full root access to the server so I can make whatever configuration changes need to be made.
Yes, the obvious answer is to use either all CGI or all PHP. These particular CGI scripts are written in Perl and display a status bar for the upload. My knowledge of Perl is very limited and I don't have time to learn before the deadline on this project, PHP does not have the functions to create that status bar. Everything else about the site is already coded in PHP (which I know much better than I know Perl). If someone has an alternate suggestion of how to handle that I'm all ears.
Thanks in advance, I appreciate any advice you have to offer.
-PHP script creates a form, user fills in the form, including a file to be uploaded. Form submits to a CGI script.
-CGI script accepts the form information, saves the files to /tmp/, passes all information about the saved files to a second PHP script
-that PHP script verifies that the files are actually what they say they are (images and/or MP3s), deleting them if they are invalid/corrupted/script kiddies. PHP script then copies them to the proper locations in the user's home directory and updates the database appropriately
The problem was that the CGI created the files owned by the user, but PHP was running as Apache and could not do anything with those files in the tmp directory. I solved this by adding these lines to that user's httpd.conf:
User apache
Group apache
Now the CGI script runs as apache rather than that user. The PHP script can then access and modify the created files.
The biggest question for the DA community, how do I keep those lines in that user's httpd.conf? I tried inserting them through the DA admin interface, but the DA interface added a second set of user and group lines with that user's username. The second set apparently overrode the first set because it did not work. If that httpd.conf file is overwritten the site will break.
This server will have several different sites on it, but they're all owned by the same guy. It's not a shared hosting environment so I'm not worried about other users being able to access those tmp files. Are there other security concerns involved with running CGI scripts as the apache user? Is it possible to run only certain CGI scripts as the apache user, perhaps? Am I going about this all the wrong way? I do have full root access to the server so I can make whatever configuration changes need to be made.
Yes, the obvious answer is to use either all CGI or all PHP. These particular CGI scripts are written in Perl and display a status bar for the upload. My knowledge of Perl is very limited and I don't have time to learn before the deadline on this project, PHP does not have the functions to create that status bar. Everything else about the site is already coded in PHP (which I know much better than I know Perl). If someone has an alternate suggestion of how to handle that I'm all ears.
Thanks in advance, I appreciate any advice you have to offer.
