Mods not installing (yet again)

[6Dasher]

I have a VPS running a number of sites. My main one uses SMF and has no issues installing mods/updates.

I made another forum a while back on 2.0.5 and wanted to update it, but this site does not install anything while it says it did. Added the /temp folder and 777d it. Things will not install for some reason. The zip is downloaded into the packages folder, but nothing to be seen in the temp folder, and no update really installed. Package manager does show the update to be installed, but it's not really.

Any tips?  I read the sticky on mods not installing, but as another site on the same server does not have any issues I don't think its a mod_security issue, and I never had to CHOWN the other site (even if I knew how that worked).

[margarett]

That's really a typical symptom of wrong files/folders ownership...

Try to ls -l your forum root and Packages folder, for a start.

[6Dasher]

NB: pg100 is the site/domain name.

Forum Root

Code Select Expand


drwxrwxrwx 4 pg100 pg100  4096 Mar 11 12:41 Packages
-rw-r--r-- 1 pg100 pg100 74088 Oct  1 23:55 SSI.php
-rwxrwxrwx 1 pg100 pg100  2403 Oct  2 08:37 Settings.php
-rwxrwxrwx 1 pg100 pg100  2403 Oct  4 16:46 Settings_bak.php
drwxrwxrwx 5 pg100 pg100  4096 Oct  1 23:55 Smileys
drwxrwxrwx 2 pg100 pg100  4096 Oct 25 12:14 Sources
drwxrwxrwx 5 pg100 pg100  4096 Oct  2 08:33 Themes
-rwxrwxrwx 1 pg100 pg100  3830 Oct  1 23:55 agreement.dutch.txt
-rwxrwxrwx 1 pg100 pg100  3343 Oct  1 23:55 agreement.txt
drwxrwxrwx 2 pg100 pg100  4096 Mar 11 14:48 attachments
drwxrwxrwx 4 pg100 pg100  4096 Oct  1 23:55 avatars
drwxrwxrwx 2 pg100 pg100 12288 Mar 11 22:01 cache
-rw-r--r-- 1 pg100 pg100 13981 Oct  1 23:55 index.php
-rw-r--r-- 1 pg100 pg100  1464 Oct  1 23:55 license.txt
-rw-r--r-- 1 pg100 pg100  2510 Oct  1 23:55 news_readme.html
-rw-r--r-- 1 pg100 pg100 21897 Oct  1 23:55 readme.html
-rw-r--r-- 1 pg100 pg100 27875 Oct  1 23:55 ssi_examples.php
-rw-r--r-- 1 pg100 pg100  5909 Oct  1 23:55 ssi_examples.shtml
-rw-r--r-- 1 pg100 pg100  8604 Oct  1 23:55 subscriptions.php


Packages

Code Select Expand

total 16
drwxrwxrwx 2 pg100 pg100 4096 Mar 11 12:39 backups
-rwxrwxrwx 1 pg100 pg100  324 Oct  1 23:55 index.php
-rwxrwxrwx 1 pg100 pg100   10 Mar 11 12:39 installed.list
drwxrwxrwx 2 pg100 pg100 4096 Mar 11 12:39 temp


[Chen Zhen]

You need to set the temp folder in your php.ini folder to the absolute path, this is the string setting:
upload_tmp_dir

This setting does not have to be located withiin your forum folder but rather should be in the parent of it.

Also the ownership of that temp folder should be root user : os or perhaps both as the os (os : os).
ie. for Apache it is www-data but for other OS it is different.
Not having half the ownership as the root (or sudo root) will mean issues attempting to manipulate files within it using your root terminal but for the temp folder to work for your forum installs it will need one or both to be os ownership.
File permissions should be 0755 (not 0777). I also suggest recursively adjusting your forum folder to 0755 permissions for security reasons.

Regards.

[Black Tiger]

@Underdog: What you're telling is not quite true for mod_installs
File permissions should be either 777 or 666, depending on which OS and which system is used.
Only use 755 on directory's and 644 on files if your system is using something like suphp or mod_ruid.
Ofcourse when installing mods, afterwards you can change them back to 755 and 644 for security reasons.

lso the ownership of that temp folder should be root user : os or perhaps both as the os (os : os)

This is also not true when using Linux in any case.
If you are using user:user the owner doesn't matter when everything is world writable.
When using suphp or mod-ruid2, things wil even stop working if you would change it to for example nobody:nobody. So normally chown is never needed.

But again... I'm talking Linux, not windows. I don't do hosting on windows.

[Chen Zhen]

Black Tiger,

  I have run an unmanaged VPS  using Ubuntu 10+ which is a Linux installation. I stated os whereas I should have stated web-server-app ie. Apache (www-data).
  0777 is not secure leaving that setting open like that. Never mind the documentation regarding file permissions on this site but rather go to a typical Linux OS installation home site and ask them if that is true or not & if it is safe/preferred to use 0755. As long as the permissions and ownership are set properly on the folders, the web-server-app should be able to use them. You don't make it world writable but rather local web-server-app writable which is my point. If you are needing to use 0777 to write to a folder then that means the ownership is not set properly if one intends to let the web-server-app (forum) use that folder to write to. 

  Ownership for Apache and user to have access would be ie. user:www-data doing that with 0755 permissions for the temp folder I was speaking of will allow it to be writable for Apache and the root-user. If the OP has to create a new php temp folder they will need to set chown and chmod for the forum (ie. Apache) to use it.  All these chown examples are Apache though, I do not know what web-server-app they are using.

[Black Tiger]

and ask them if that is true or not & if it is safe/preferred to use 0755

I'm a hoster. I know this by heart.

But I also know that if you chown to apache:apache or nobody:nobody (which is apache user) or www-data if ubuntu is using that, and you set your file rights to 644 or 755 it does not make any difference. You could leave everything also to 777.
Why? Because it will be like this with 755:
rwxr-xr-x apache.apache filename.ext
As you can see... apache (your webserver) has write permissions, and if apache has write permissions, so it's world writable anyway. I'm very curious where you see the safety in that.

As long as the permissions and ownership are set properly on the folders, the web-server-app should be able to use them.

That is not true unless something special is used like suphp or mod_ruid, which has a special structure to have php commands be done in name of the home directory user (so homedir owner). Maybe Ubuntu has something like that build in by default, but I can't remember Debian, Fedora, Redhat or Centos having something like that by default.

If you use user:www-data as you state, the www-data or better said, the apache user, has no write rights, because 755 means rwxr-xr-x, so no write permission for the group user (which is your apache user). You need write permissions to install mods for the apache-user. That won't work with 755 which is normally not used for files but for directory's, or 644 which is used for files, because the root-user (or homedirectory user as I call him) is owner and has the write rights.

The best way for safety is like I said. Chmod to 777 as the docs says, install the mod, and change back to 644 or 755 and keep the owner as is where possible for safety.
As you can see after some use of the forums, several ownerships will be www-data:www-data anyway.

[Black Tiger]

Sorry, I missed this:

If the OP has to create a new php temp folder they will need to set chown and chmod for the forum (ie. Apache) to use it.

Correct, that is one way of doing it, but limit it to the temp folder, because the world writable part stays there for the web user (apache).
That's why its better to temporarily chmod to 777, the window of oppertunity is much smaller like that.

P.s. Your solution won't work on a lot of hosting servers out there, who won't allow to chown to the apache user. So in lots of cases the temp 777 is the only solution. Unless you have a good hoster, which uses suphp or mod_ruid2, and you only have to use 755 and 644 and also no chown ever.

[Chen Zhen]

Black Tiger,

  So you are saying that giving a folder the apache ownership (www-data) has the same effect as giving it 0777/0666 permissions whereas anyone can then write to it? That it should be user ownership (if chown is configurable) and then temporarily change to 0777 when apache needs to write to it otherwise it should be changed back to 0755 or 0644?

[Black Tiger]

As for an answer to your question. Yes, that is exactly what I mean. Normally a home directory is already owned by user. No chown needed for that.
So exactly said. Folders and files should be user:user and chmod 755 and 644. Only change to 777 for mod installs, and change back to 755 and 644 when ready.

These are my thoughts about the 777:
World writable means that apache can write to a file, because when some action is taken via the web (f.e. by a visiting user) it will be executed as user nobody, correct?(Centos apache servers run mostly under the user nobody, so that's why I call it nobody).

If that's correct.... I don't see any difference, between giving only apache (user nobody) write rights or everybody. Because imho apache=everybody (every web user, so world writable).
Because if a file is owned like user:user and giving 777 then nobody is "other" and also has write permissions that way.
At this moment I'm confused, because I don't understand the difference between both write permissions, imho there isn't any difference, because in both cases write permissions are for user nobody (apache).

There is another problem however, which also occurs on a cpanel server on which I have a private shared hosting account.

Several files get owned by apache (in my case the user nobody) which has the result that I can't delete or overwrite them anymore via FTP, because I'm not owner anymore. This might also proove that I might be mistaken over what I just said about it being the same.
On my servers I don't have this problem anyway because I use mod_ruid2.

Maybe we can discuss this better in another section of the forum. I would not want to disturb this thread with a discussion?

[Chen Zhen]

Several files get owned by apache (in my case the user nobody) which has the result that I can't delete or overwrite them anymore via FTP, because I'm not owner anymore. This might also proove that I might be mistaken over what I just said about it being the same.

  That's why I was trying to say set the ownership to user:www-data because that way it gives the forum access and also the ftp client access. At least from what I remember from when I ran a VPS using Ubuntu. Your probably correct though as for the safest set up regarding security and perhaps just use the terminal (as root or sudo-root user) to edit files (ie. nano to Vim) instead of FTP. For copying use the terminal to send them to a parent dir somewhere (away from the forum dir) and set ownership to allow the FTP client to access them there.

  I might go the VPS route again and hone my knowledge of setting up the necessary infrastructure since it's been a while. I'm just not willing to pay for the resources I would like with the prices I see atm. Imo I should be getting double the resources at $15 USD/month or at least 1.5 of what is offered.

  As for the the OP's original problem.. Imo the upload_tmp_dir in php.ini could be the issue. Even though no setting for it usually directs to a default path, I have found this setting to be necessary.  How does that folder setting work then? Apache needs access to it to use it as the temp folder and it is supposed to reside in a parent folder to the forum archive. Does BIND9 not allow  "nobody" to access prior to the initial forum folder. Even if it did how would someone guess its path? Also if it is blank and the default path was being used, apache would have access to said path and hackers would know this default path yet I'm fairly sure the default settings are usually safe. So how does that work then if Apache/nobody has access to that path, why can't a hacker run a malicious script somehow from it? Just curious.

[Black Tiger]

That's why I was trying to say set the ownership to user:www-data because that way it gives the forum access and also the ftp client access.

That is indeed correct, however if you chmod that to 755, only the user has write access and the www-date only has read and execute rights, which imho will give problems installing mods, because write access is needed at that point.
So you still need to give write access, however a chmod 764 might be already sufficient then, it gives group write permission, so apache can write to it.

As for the OPS problem, I agree with you that it probably has to do with php.ini settings you mention.

So how does that work then if Apache/nobody has access to that path, why can't a hacker run a malicious script somehow from it? Just curious.

That's exactly what I'm wondering about now too. Because a hacker can abuse the normale /temp directory for scripts to run.
For this reason a lot of hosters adjust the systems temp directory and mount nosuid, noexec, and nodev. Meaning that no suid programs are permitted, nothing can be executed from that partition, and no device files may exist. Still there are other ways to execute scripts... within 777 directory's for example.

[6Dasher]

So, one year later... why is this even an issue???  I can't install updates, running on the same vps as another site and there there is no issue. Why do I need an IT guy to get a mod to install and use a temp dir?

Is there any solution to this. My forums are about useless at this point. Time to switch?

[margarett]

Nop, it's still an issue on your server, sorry to say

Why are your forums useless?

[Steve]

I suspect since he can't update they might as well be useless. I imagine they still function but without the ability to update them why would one want to use them?

Guesswork on my part though.