Public-Html folder

Sorry, that I reopen that thread...

I noticed that problem too:

on other server (hosting accounts) it was possible to upload to folders while the folder has the default permission (755)

on my current DA server there is php compiled as an apache module and I need to give the permission 777 to the folder. (I don't like that)

this workaround is this a common one?

chown user.apache /home/user/domains/yourdomain.com/public_html
chown -R user.user /home/user/domains/yourdomain.com/public_html/*
Click to expand...

is there another way to give the user access to some folders?

I have the same problem with cronjobs I added to crontab where I have access as a reseller...
 
The only way you can upload using php accessed through http is if your http daemon has the rights to write to the subdirectory in question, or if the server is running suPHP. If the former, then it would have to be a fairly insecure (and complex) group membership management, and if the latter it would run php pages more slowly, sometimes quite a bit more slowly.

To read up on suPHP search for it in these forums.

Jeff
 
Hello Jeff,

I understand, I know about SuPHP and I know that this module is not installed. The upload was just an example, I have the same "problem" with files I retrieve with curl which I want to safe on the webserver.

In one case its a reseller account where I can't change the configuration.

But I get you right that a folder with a permission of 0777 is not secure?
 
I've never traced through all the possible ramifications. I've asked on several lists populated by very knowledgeable systems administrators (for example, isp-webhosting, and linux-l) and they all say it's insecure.

Jeff
 
I run a script once a day in the root cron to work around the apache/user not being able to write problem. Since many people are using FTP combined with PHP applications like CMS'es we kept getting this same request.

Also on another server (not a directadmin setup), stuff like galleries which uploaded files as apache would not be counted towards the user quota since the files are owned by apache, I'm not sure if that's the case also with Directadmin since it has additional checks besides unix quota's

But you can use a script like this, it will go over all homedirs and look for files and directories either owned by apache or set as 777 for permissions and modify the directory to ownership username:apache with rights 775

Code: 
#!/bin/sh

cd "/home"

/bin/ls -1|while read user
do
  /usr/bin/find "/home/$user" \( -user apache -or -perm -2 \) -print | \
  while read line
  do
    if [ -f "$line" ]; then
      /bin/chown "$user:apache" "$line"
      /bin/chmod 775 "$line"
      echo File: $line $user
    else
      # In case of php safe_mode we should user user:user on directories because 
      # otherwise files would be created with httpd group which would cause 
      # safe_mode to stop execution. If safe_mode isn't used keep it like this.
      /bin/chown "$user:apache" "$line"
      /bin/chmod 775 \"$line\"
      echo Directory: $line $user
    fi
  done
done
# Fix possible bad group setting due to homedir symlinks
cd /var/spool/virtual
chgrp mail *

Run this at your own risk though, you should never blindly run scripts without testing them first.
A good way to test this would by putting 'echo' in front of the chown and chmod commands to see if it's doing the commands you'd want it to do.

We don't run suphp or phpsuexec either because it poses an incredible security risk on the user's homedir and files like mailboxes. With the current setup only files owned by apache or set to 777 are at risk if an exploit would come out, with suphp EVERY file owned by the user on the system is at risk, something that's not a very wise thing imho.



edit: added chgrp entry at end to fix the chgrp setting of the /var/spool/mail dir due to homedir symlink
 
Last edited:
You must log in or register to reply here.
Back
Top