Permissions on PHP file uploads are a little weird.

[brettdavidsonnz]

Using a very basic forms/move_uploaded_file script to upload files to a host.

The host is loaded via the apache httpd.conf and is set to use suexec as a particular user:group. (Server is FreeBSD 6.3).

Files created with fwrite have correct user:group permissions but files uploaded with move_uploaded_file do not. They get the owner:group permissions of the backend lsws process.

Is this a known issue or am I doing something wrong?

 

[mistwang]

Please check the user id of lsphp processes. Please remove the old file and test again. if the file exist, the ownership will not be changed if upload again.

 

[brettdavidsonnz]

lsphp5 ownership is www so that will explain this issue.

Now then, if PHPsuEXEC is enabled and docroot UID is set, why would the process be owned by www?

Ownership when creating files works by (I assume) deciding this based on the directory ownership.

 

[brettdavidsonnz]

As a further note, the apache httpd.conf is loaded in via lsws' httpd_config.xml file. The systems uses Plesk.
This httpd.conf file in turn loads some includes (plesk.include) which then include a file for each domain (a httpd.include file within each domain).
The suexecUserGroup directive is set in these httpd.include files.

The system control panel shows the APVH virtual host entry and APVH listeners running. Does PHPsuEXEC only work with Litespeed listeners?

 

[mistwang]

can you PM me the login to LSWS admin console?

 

[mistwang]

I checked the server, it does use suexec for that vhost.
Can you please double check the suexecUserGroup configuration for that vhost. the user does exist.
And, you can send us your http.conf and included configuration file for analysis to bug @ litespeedtech ...

 

[brettdavidsonnz]

Done.

These have been emailed to the address you listed.

 

[mistwang]

One more question, does the server installed with "root" user? suExec only works when the user who run LSWS installer is "root". if you run the installer as "www" user, suexec will not work.

 

[brettdavidsonnz]

Yes. System installed as root but runs as www.

ps shows :

root 17697 0.0 0.1 5188 4240 ?? S 4:28PM 0:42.42 lshttpd (lshttpd.3.3.4)
root 17698 0.0 0.0 1296 692 ?? S 4:28PM 0:00.48 lscgid (lscgid.3.3.4)
www 17699 0.0 0.1 5156 4240 ?? S 4:28PM 0:33.41 lshttpd (lshttpd.3.3.4)
www 17700 0.0 0.1 5156 4236 ?? S 4:28PM 0:33.27 lshttpd (lshttpd.3.3.4)

 

[mistwang]

Can you please check the ownership and permission mask of lsws/bin/lscgid,
It should be owned by root with setuid bit set. suEXEC rely on it.

 

[brettdavidsonnz]

Ownership is :

-r-sr-xr-x 1 root www 10780 Feb 14 16:17 lscgid.3.3.4

 

[mistwang]

Looks correct.
Is there any security option in FreeBSD to disable setuid?
Is it possible to PM me a temp root ssh access?

 

[brettdavidsonnz]

There is but it is not utilised. (We have other programs running setuid successfully).

ssh access "PMed" to you.

 

[mistwang]

OK, after add environment variable "LSAPI_PPID_NO_CHECK" to lsphp5 external app configuration to prevent lsphp5 quit immediately, ps -aux shows that lsphp5 does run as "noc" user, so php suEXEC works properly.

 

[mistwang]

FYI:
http://www.litespeedtech.com/support/forum/showthread.php?t=1587

 

[brettdavidsonnz]

OK then. Now back to the original question.

It appears that the owner is now noc when using the move_uploaded_file function. Weird. I didn't change anything. Good that it's working however.

The group is still wheel though.
I have setting the ForceGID option but this does not appear to work, even with a complete hard restart of the server.

 

[brettdavidsonnz]

Thanks for the above link. Now I understand why the user was wrong and why the PPID check fixes it.

Any ideas about group ownership?

 

[mistwang]

Do you know how to check the gid of a process? maybe run "id" command from php script?

I just want to make sure the group id of lsphp5 is not "wheel". If it is, I will look into the code of lscgid.

BTW: please upgrade to 3.3.5 package first.

 

[mistwang]

Have you change the ownership of files/directories under lsws/conf?

drwx------  2 root  www    512 Feb 14 16:17 cert
-rw-------  1 root  www   3320 Feb 14 16:17 mime.properties
drwx------  2 root  www    512 Feb 14 16:17 templates

It will break the web console, all should be owned by "www".

 

[brettdavidsonnz]

No. Web console was working this morning.

Since you've been on the system, I can no longer access the server configuration pages.