Could not upload package, please check directory permissions! SMF 1.1.14 New Ins

Started by own3mall, July 31, 2011, 02:30:58 PM

Previous topic - Next topic

Tyrsson

Also, yes at first glance it would SEEM easier to lump everyone together, but once you do that, how can you tell them apart? See what I mean..... See the example above in my last post.

Yes, every account needs its own user. Period, or you have an insecure server environment. Limiting a user to their own directory is known a chroot'ing if memory serves and its a MUST, has to be, cant get around it in a shared environment unless you want total havoc the first time someone gets hacked.

Think about this. In your current config. If one site gets hacked, they all get hacked, and you are the one that will have to clean it up. It sucks, I have had to do it for clients that have setup servers the way yours is setup now.

Each account must have an owner for you to be able to identify that user. There is no way around it. Furthermore, the servers, yes that is plural because there is more than one.

Currently we are speaking on two different servers.

1. Apache (php runs as the apache user unless you specifically provision for it not too, ie suexec)

2. Ftp, which should run as the account owner when uploading or modifying files within a users directory, ir their docroot, their hosting space.

Here is where the ownership problems comes in.

Well, I really dont know how to explain it any better than I have. For an example, take the 0777 perms off of everything, and it will break down, unless apache is also running as the ftp user.

ownership (chown) doesnt not equal permissions (chmod).

Permissions (chmod) only holds true for those users that are within a group that gives access or for the owner, unless you are in one or are the other, explicitly, then you do NOT have access. Which can be gotten around by 0777 (world readable and writable), which you have been using, and which is a bad, VERY VERY bad idea within your current config.
PM at your own risk, some I answer, if they are interesting, some I ignore.

Tyrsson

QuoteYes, I am planning on doing more research on this ownership configuration; however, you have still not addressed why the SMF upload is not working.  My PHP script can upload a file with the same exact permissions.

What permissions would those be? 0777? No good, tells you nothing cause any user can both read and write the directory or file.

And yes, I have addressed the issue repeatedly within this topic.

Maybe this will help also:

http://wiki.simplemachines.org/smf/On_file_and_directory_permission_and_ownership
PM at your own risk, some I answer, if they are interesting, some I ignore.

own3mall

After doing more research, it would seem that configuring suPHP & suexec is not worth the trouble.  It would appear that every virtual host I've added would need to have its own user created and lines added to each virtual host entry in the conf file. 

If apache was supposed to run this way, they would have it running like this out of the box.  Thus, I do not think it's fair to claim that servers running without suPHP or suexec are configured improperly.  Do any hosting control panels even support suexec and set it up properly?  If so, please point me in that direction :).   This is way too complicated.  Unless my hosting control panel script creates users automatically, it would be too much work to mess up everything now.

I wish it were easy to configure.  I've read guides on setting it up, but if it's not compatible with the hosting control panel, manually creating users and configuring suPHP would take too long. 

Thanks for the help Tyrsson, I really appreciate it.  I don't have the expertise to set this up.  One of Linux's main flaws is how difficult this is. 

However, even with my configuration, I still don't understand why the package manager fails to upload files.  My directories are set for chmod 777, and it will not upload using the SMF script.  Works just fine for my upload script.  The file should at least upload according to everything I've read and what you've said.

own3mall

Also, from the article you linked me to:

Quote
When web hosts don't use suphp or suExec:

In this case, you still own files you create using ftp. Every time you use ftp to copy files to the server, they belong to you. But the webserver on these hosts does not run as you. It may run as "nobody", or else as a special username, perhaps "www-data" -- users who don't belong to the same group as your username does. This means that the webserver will not be able to write files in your directories unless you grant world write permission to your files and directories (chmod 777 for directories, 666 for files). Any new files created don't belong to you. That means that, if you are going to need to work with them later, you'll need to make these files world-writable, and directories world-executable, so that you can edit the webserver's files or delete them from webserver-created directories.

My directories have been chmod to 777.  Why doesn't the file upload?  Did SMF specifically decide to drop support for webservers that do not run suexec or suPHP?  I don't see a reason why the package can't upload! 

Tyrsson

Yes many hosting control panels support suexec etc. Cpanel I highly recommend.

If it was that easy, wouldnt every one be doing it?

None ever said being a host is easy, trust me I am one.

As for why it doesnt work with 0777, that is a good question. It would take me some time with shell access to answer that.

But here is my biggest concern for the users you are hosting. You have not even addressed the security issues I have raised with your server config. Hosting is not for the inexperienced unless you are willing to spend the time to learn and do things right. You owe that to the people you are hosting.

Do they run ecommerce via your site? If so and they get hacked and by chance find this topic, well you know they could hold you liable right?
PM at your own risk, some I answer, if they are interesting, some I ignore.

Tyrsson

And no SMF has not chose to drop support for servers that are not using suphp/suexec, without it though its hard in a shared environment.
PM at your own risk, some I answer, if they are interesting, some I ignore.

Tyrsson

QuoteAfter doing more research, it would seem that configuring suPHP & suexec is not worth the trouble.  It would appear that every virtual host I've added would need to have its own user created and lines added to each virtual host entry in the conf file.

If apache was supposed to run this way, they would have it running like this out of the box.  Thus, I do not think it's fair to claim that servers running without suPHP or suexec are configured improperly.  Do any hosting control panels even support suexec and set it up properly?  If so, please point me in that direction :).   This is way too complicated.  Unless my hosting control panel script creates users automatically, it would be too much work to mess up everything now.

Also, if this is truly your opinion, well, I hate to say it, but you shouldnt be hosting anyone other than your own site. Simple as that.
PM at your own risk, some I answer, if they are interesting, some I ignore.

青山 素子

* 青山 素子 sighs...

Time for a professional server admin to step in and comment on some of the issues expressed in this topic. (Seriously. My day job is managing servers.)

Quote from: own3mall on August 06, 2011, 01:08:00 AM
After doing more research, it would seem that configuring suPHP & suexec is not worth the trouble.  It would appear that every virtual host I've added would need to have its own user created and lines added to each virtual host entry in the conf file.

I wouldn't recommend suPHP, but suEXEC and FastCGI (usually through mod_fcgid) work very well. Yes, it means that you'll need to make a new user/group for each domain. This is a good thing as it partitions sites from each other. The default behavior means that one site's code can affect that of another site as both would be owned by the Apache user.


Quote from: own3mall on August 06, 2011, 01:08:00 AM
If apache was supposed to run this way, they would have it running like this out of the box.

Apache was created way back when static content was the practice and dynamic stuff was created by writing applications in C or C++ using the CGI interface. It was a simpler time back then.

Quote from: own3mall on August 06, 2011, 01:08:00 AM
Thus, I do not think it's fair to claim that servers running without suPHP or suexec are configured improperly.  Do any hosting control panels even support suexec and set it up properly?

I don't think it was explicitly claimed that not using suEXEC or suPHP is improper. However, it's tricky to use mod_php with Apache and normal FTP users (as opposed to virtual). You run into a lot of permission issues that way.

I believe both Plesk and Cpanel support suEXEC. ispCP Omega does as well, but I wouldn't recommend that at this time as it's too in-flux and immature for long-term use.


Quote from: own3mall on August 06, 2011, 01:08:00 AM
One of Linux's main flaws is how difficult this is. 

Nah, it's not the fault of Linux. IIS can be a pain to configure with the interaction between application pools, user contexts, account impersonation, etc.


Quote from: own3mall on August 06, 2011, 01:08:00 AM
However, even with my configuration, I still don't understand why the package manager fails to upload files.  My directories are set for chmod 777, and it will not upload using the SMF script.  Works just fine for my upload script.  The file should at least upload according to everything I've read and what you've said.

It's probably your configuration. Depending on how the permissions are in the various directories, the configuration of Apache, and other factors, it's possible that 777 permissions won't work as they are blocked as "too open".

The main problem is probably how you are handling FTP accounts. How are you configuring these? Are you using a control panel at all? Normally, for a plain mod_php install, you will want virtual FTP accounts so you can map user and group IDs and avoid a whole ownership problem.


Quote from: own3mall on August 06, 2011, 01:32:24 AM
My directories have been chmod to 777.  Why doesn't the file upload?  Did SMF specifically decide to drop support for webservers that do not run suexec or suPHP?  I don't see a reason why the package can't upload! 

Server configuration. SMF itself doesn't care how the server is configured. There is really no special support for suEXEC or suPHP that can be added or removed.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


abhizz

Quote from: Tyrsson™ on August 05, 2011, 07:57:05 PM
QuoteYes, I am planning on doing more research on this ownership configuration; however, you have still not addressed why the SMF upload is not working.  My PHP script can upload a file with the same exact permissions.

What permissions would those be? 0777? No good, tells you nothing cause any user can both read and write the directory or file.

And yes, I have addressed the issue repeatedly within this topic.

Maybe this will help also:

http://wiki.simplemachines.org/smf/On_file_and_directory_permission_and_ownership



I'm using ubuntu with smf directory permission guides  and i have no problem! thanks for the wiki direct link its useful

own3mall

I still can't get mine to work.  I've checked and checked permissions.  It's not working on my end.  Any way to get more info as to why?   What log files should I be looking at?

Everything works but SMF's package manager on my webserver.

own3mall

I can upload them manually through FTP, and they install just fine.  What a strange problem to have.

Tyrsson

QuoteI can upload them manually through FTP, and they install just fine.

Sorry but I do not have the time to re-post and repeat myself at length but the above quote should tell you all you need to know.
PM at your own risk, some I answer, if they are interesting, some I ignore.

abhi

Quote from: abhizz on August 25, 2011, 11:10:19 AM
Quote from: Tyrsson™ on August 05, 2011, 07:57:05 PM
QuoteYes, I am planning on doing more research on this ownership configuration; however, you have still not addressed why the SMF upload is not working.  My PHP script can upload a file with the same exact permissions.

What permissions would those be? 0777? No good, tells you nothing cause any user can both read and write the directory or file.

And yes, I have addressed the issue repeatedly within this topic.

Maybe this will help also:

http://wiki.simplemachines.org/smf/On_file_and_directory_permission_and_ownership



I'm using ubuntu with smf directory permission guides  and i have no problem! thanks for the wiki direct link its useful

Yes! you are right if we start with smf permission guides all will be fine! Before i have some problems in my ubuntu server with smf now all are fine!! Thanks community contributors

Advertisement: