httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Toni Moreno <toni.mor...@gmail.com>
Subject Re: [users@httpd] mod_fcgid upload permission changes.
Date Wed, 12 Dec 2012 14:26:37 GMT
Hi Ben, Eric , I'm developing a centraliced IT-Administration platform.(
http://sourceforge.net/projects/itsat/ )

Each user has a HTTP certificate, and a OS user in the platform who belongs
to a generic "itsatadm" group, and the only way to put files should be by
HTTPS . Not SCP or SFTP allowed.

In this environment , I need execute php scripts with arbitrary EUID
permisions( EUID depents on the user who makes POST)  .

Upload ( file transfer and storing)  is done by apache , not me!

I've tested your suggestion (  by adding a chmod  while still root)  but
doen't work:

:PHP ERROR [2] : fopen(/tmp/phpaP806V) [<a
href='function.fopen'>function.fopen</a>]: failed to open stream:
Permission denied.

==========================
Your Suggestion execution level stack ( Not working)
==========================

apache(itsat:itsatadm) -> writes data with mod_php ( 640)
> mod_fcgid (itsat:itsatadm) -> leaves /tmp/XXXX ( 600 )
>> php-cgi ( root:itsatadm) -> leaves /tmp/XXXX
>>> my_upload_handler.php ( as root)
*---------> (* added) chmod /tmp/XXXXX ( 1200 )*
---------> change EUID ( as $user )
---------> ( do things)
---------> read /tmp/XXXX and store to  ~$user/
---------> finish upload

==================

I 've  finally bypassed this trouble setting effective permissions to root
ONLY to open the temporal file.

posix_seteuid(0) // as root
fopen(/tmp/phpaP806V)
posix_seteuid($user);


================================
Bypassed execution level stack (IT WORKS)
================================

apache(itsat:itsatadm) -> writes data with mod_php ( 640)
> mod_fcgid (itsat:itsatadm) -> leaves /tmp/XXXX ( 600 )
>> php-cgi ( root:itsatadm) -> leaves /tmp/XXXX
>>> my_upload_handler.php ( as root)
---------> change EUID ( as $user )
---------> ( do things)
*---------> posix_seteuid(0)
---------> fopen(/tmp/XXXX)
---------> posix_seteuid($user)*
---------> store file to  ~$user/
---------> finish upload

But this is *NOT* the best solution since *my_upload_handler.php is a third
party library !!!!*.

I will look for a better solution in the future.

Finally I can't  understand what is doing internaly
apache/mod_fgcid/php-cgi. with umask while uploading file..

Thanks to all ( Eric and Ben).

:)





2012/12/11 Ben Johnson <ben@indietorrent.org>

>
>
> On 12/11/2012 1:12 PM, Eric Covener wrote:
> > On Tue, Dec 11, 2012 at 1:01 PM, Toni Moreno <toni.moreno@gmail.com>
> wrote:
> >> I would be happy to know  another way to upload files for any users on
> the
> >> system through HTTPS.
> >
> > mod_fcgid doesn't do this for you. If you POST to a fastcgi, read the
> > post body in whatever direct way your language provides.  Don't try to
> > figure out what temporary file the server may have created in the
> > background and read it as a file.
> >
> >
> >> But the question is why mod_fcgid changes apache umask ? is the correct
> way
> >> to proceed , a undefined configuration , or a bug?
> >
> > Read your systems manual entry for "mkstemp".  This family of
> > functions doesn't create files with the just the umask masked off, it
> > explicitly controls them.
> >
>
> Toni, to add to what Eric said above, I think most of us are trying to
> understand why you are attempting to control file permissions at the
> Apache layer (or worse, the OS layer).
>
> Applications should be portable. If you move your application to another
> server, it should function the same way. By attempting to control the
> initial permissions with which Apache creates files, you are violating a
> fundamental tenet of the portability principle.
>
> If I read your original post correctly, PHP should have the permissions
> required to call chmod('/tmp/fcgid.tmp.PEozaa/', octdec('0644)). Problem
> solved.
>
> -Ben
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


-- 

Att

Toni Moreno

699706656



*Si no quieres perderte en el olvido tan pronto como est├ęs muerto y
corrompido, *

*escribe cosas dignas de leerse, o haz cosas dignas de escribirse.*



*Benjamin Franklin*

Mime
View raw message