httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lowlight <>
Subject [users@httpd] suexec + file upload == permission denied for non php/cgi scripts
Date Tue, 23 Nov 2010 21:03:43 GMT
Ok, so I have suexec working on my server and it's successfully serving 
pages as user's.  The problem is that whenever a user uploads a file via 
a php or cgi script, the file gets 700 permissions (WHICH IS WHAT I 
WANT), but when the webserver goes to serve that file, it does NOT 
change to the suexec user if the file is not a "script" file.  Lets say 
the user uploads a .jpg file.  The file is uploaded perfectly.  The user 
can "load" the file using php just fine etc, but if the user tries to 
"view" the image with a web browser then the server rejects it because 
it's attempting to use the default apache user to view the uploaded 
file.  How do I get apache to totally run as a specified user?  Heres 
how to reproduce:

1.  Get suexec working and setup this virtual host
       DocumentRoot /home/photos/public_html
       CustomLog /home/photos/access.log combined
       ErrorLog /home/photos/error.log
       SuexecUserGroup photos photos
       #php-current is simply a name I gave php 5.2.14 that I compiled.  
I use different versions of php for different clients, using a standard 
name allows me to hardlink different versions easily.
       ScriptAlias /php5 "/home/photos/php/php-current"

2.  create a file upload script using php script
3.  upload a jpg file (or any file other than php for that matter)
4.  check permissions of file which should always result in 600 that is 
owned by the correct user
[root@webserver public_html]# ls -l 4.jpg
-rw------- 1 photos photos 101984 2010-11-23 13:14 4.jpg*
5.  view file from web browser

Expected result would be that the browser displays the image.  But the 
actual result is error(13) which is a permission denied because the 
webserver is actually trying to view the file using the default apache 
user/group which for me is set to apache/apache.  To prove this, if I 
chown the 4.jpg file to apache.apache, I can then view the file.   How 
do I fix this without setting a huge gaping security hole in the site by 
setting 655  (which would be needed to view the file via chmod).  If I 
change the owner to apache, then the php process could no longer 
"delete" the file because then it's no longer the owner of that file.  
Thus the only solution is to chmod it to 655 so that apache can read it 
(along with ALL subdirs above the file) which is probably the biggest 
security hole on the planet.  There has to be a common solution to this 
huge security issue.

Why is suexec only running php/cgi scripts as the user and not other 
files as it should be?

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message