Lost ftp access and got 403 Forbidden error after trying to reset permissions

[Guillelmus]

I'm in a pretty nasty situation here.

I used the ftp tool at Admin -> Package manager to reset permissions on my forum so that the php files and folders would be read-only.

However after performing this I cannot access my site at all. I get 403 Forbidden Error.. Even when trying to connect with ftp client I get Access denied error.

What happened?

[Ricky.]

Well, again from SMF Permission tool , change them.
This tool can change permissions but it won't hinder you from login to your FTP .

[kat]

If he can't access his forum, he can't use the permissions tool...

Not being able to access anything via FTP is really kinda weird, though.

Can you change the permissions if you use your site's CPanel's File Manager?

[MrPhil]

What did you change permissions to? 755 for folders and 644 for files would be normal. 555 and 444 would be read-only (I don't know why you would want to do that... do you not trust yourself to not go around randomly deleting files?). Depending on your PHP setup, you might have to grant extra write permissions to certain folders for things like avatar and attachment uploads, not to mention upgrade and mod packages. Anyway, it sounds like you might have changed permissions to 000 or something, which would require your host to reset your folder and file permissions. Have you tried going through the hosting control panel's file manager to change permissions? You might not even be allowed to change them from FTP or from SMF.

[Guillelmus]

According to my service providor not only were the permissions of the files changed, but the files disappeared altogether. However, since the situation is still open, I cannot confirm this.

However, this is what I did: I selected all the directories and available files and choose the green radio box (Read permissions) and then clicked go.

I propably cannot revert the change except by restoring the backups, but I'm still interested in what the heck happened...

edit: I can't use the cPanel tool either.

[MrPhil]

Maybe there's some incompatibility between SMF's attempt to change permissions and your hosting system. I would suggest using your hosting control panel's file manager to do all such operations. If you can find something repeatable with SMF's panel vaporizing your files, I'd report it as a bug. Meanwhile, what kind of hosting do you have -- Linux/Apache, or Windows/IIS? If Apache, does your host bar FTP permission changes? Do they use suPHP or otherwise have access controls? Do they have mod_security?

[Guillelmus]

Maybe there's some incompatibility between SMF's attempt to change permissions and your hosting system. I would suggest using your hosting control panel's file manager to do all such operations. If you can find something repeatable with SMF's panel vaporizing your files, I'd report it as a bug. Meanwhile, what kind of hosting do you have -- Linux/Apache, or Windows/IIS? If Apache, does your host bar FTP permission changes? Do they use suPHP or otherwise have access controls? Do they have mod_security?

Here's a screenshot of the reconstructed situation:
http://i39.tinypic.com/2dayv48.png

I usually operate through external ftp client and SMF's ftp tool hasn't been working previously. But since the one that comes built in with drupal works, I decided to give SMF's client another try

Here's the information my host provider gives:

Debian GNU/Linux 4.0 (etch) / 5.0 (lenny)
Linux 2.6.29.4 (kernel x86_64, 32bit userland)
Apache 2.2.11
ProFTPd 1.3.2
Dovecot 1.1.15
SpamAssassin 3.2.5
exim 4.62
DirectAdmin 1.33.6

PHP 5.2.14
Zend Optimizer 3.3.9
Unzip: /usr/bin/unzip
ImageMagick: /usr/bin
Pear: /usr/local/lib/php

Is there a way to find out about suPHP and mod_security?

[MrPhil]

Running

Code Select Expand

<?php phpinfo(); ?>
might tell you if suPHP is in use (I'm not sure -- it may depend on how the server is configured). mod_security is outside of PHP, so I don't think it will show up there. You can either ask your host, or just go ahead and try disabling mod_security via .htaccess and see if there's any difference. SMF doesn't need it, and it just gets in the way.

[Guillelmus]

Running

Code Select Expand

<?php phpinfo(); ?>
might tell you if suPHP is in use (I'm not sure -- it may depend on how the server is configured). mod_security is outside of PHP, so I don't think it will show up there. You can either ask your host, or just go ahead and try disabling mod_security via .htaccess and see if there's any difference. SMF doesn't need it, and it just gets in the way.

Hmm... Didn't find trace of suPHP in that listing. Also tried setting 777 permissions to a php-file, but it loaded without error. If I understood correctly this indicates that suPHP is not in use.

Adding SecRule line to .htaccess caused Apache to give errors, so guess neither suPHP or mod_security is enabled.

Here's a link to the results of phpinfo().

[MrPhil]

I see a mod_suexec, but I don't know if that's associated with suPHP. If it doesn't care about 777 permissions, you probably don't have suPHP. How did you attempt to disable mod_security? I don't remember offhand the incantation for doing it, but "SecRule" doesn't sound familiar. If you look around this forum, there's probably the two lines listed somewhere.

By the way, you shouldn't have a publicly accessible phpinfo display. It contains information that might be useful to a hacker to break into your system. I would remove phpinfo.php.

Has your host been able to help you with your original problem?

[Guillelmus]

I see a mod_suexec, but I don't know if that's associated with suPHP. If it doesn't care about 777 permissions, you probably don't have suPHP. How did you attempt to disable mod_security? I don't remember offhand the incantation for doing it, but "SecRule" doesn't sound familiar. If you look around this forum, there's probably the two lines listed somewhere.

By the way, you shouldn't have a publicly accessible phpinfo display. It contains information that might be useful to a hacker to break into your system. I would remove phpinfo.php.

Has your host been able to help you with your original problem?

Adding line: SecFilterEngine Off to .htaccess gives: 500 Internal Server Error. That is the command for disabling mod_security, so it seems mod_security is not enabled.

My host restored the site from backups, so the forum works again. If I file this as a bug report what information should I include? (I propably don't want to reproduce the bug, though  )

[Herman's Mixen]

Its not a "bug"..  its just trows an 403 error document if it can't find and of the allowed file extensions within the DirectoryIndex for example .html .php
if there is no index.html or index.php then apache will show you 403 error documents

You did something wrong with the chmod permission thats why the files/folders wherre disapeared 

[Guillelmus]

Its not a "bug"..  its just trows an 403 error document if it can't find and of the allowed file extensions within the DirectoryIndex for example .html .php
if there is no index.html or index.php then apache will show you 403 error documents

You did something wrong with the chmod permission thats why the files/folders wherre disapeared

Should the operation described in the picture lead in to this situation? http://i39.tinypic.com/2dayv48.png Seems abnormal.

[Illori]

depending on server confirmation in some rare cases this has been reported, the developers are aware but dont have a fix.

[Guillelmus]

depending on server confirmation in some rare cases this has been reported, the developers are aware but dont have a fix.

Have they been able to identify the conflicting configuration? If there are existing reports on this bugs I could take a look if I find anything familiar in those situations.

[Illori]

no they have not found out anything yet. i am not sure that there are any reports for you to view at this time.