suPHP and file ownership by FTP

[jrprince]

This issue involves what suPHP expects/allows and content ownership set via pure-FTPD upon uploading.

Specifically, we use suPHP as is typically recommended. public_html directories are all created as one expects, owned by username:nobody. However, any files uploaded via FTP to the public_html directories are also always owned by username:nobody. By default, suPHP is run in paranoid mode, which means any PHP file uploaded by default kicks a 500 Internal because the user and group are not as expected by suPHP.

Interestingly, setting paranoid_gid_check from the default true to false in /opt/suphp/etc/suphp.conf does not change this behavior. Also setting paranoid_uid_check to false does not help either.

The fix we use is a fixperms script which cleans up directory and file permissions and sets ownership of files inside public_html to username:username, although just changing the group ownership to username also works.

It can be difficult to manually manage waiting for users to contact with confusion to cause the "fix" to be applied.

I've searched a fair bit and cannot seem to find a way to either have suPHP not be so restrictive or have FTP set the file group ownership correctly, or as desired, upon uploading.

Any thoughts?

Version info:
apache: 2.4.46
apache_php_default_version: 5.6.40-3
apache_php_versions:
- 7.4.9-1
- 7.2.33-1
- 5.6.40-3
- 7.3.21-1
- 7.1.33-2
- 7.0.33-3
bind: 0
clamav: 0.99.2-2
cpanel_and_whm: 11.68.0.12
cpanel_php: 5.6.30-2
dovecot: 2.2.33.2 (d6601f4ec)
easyapache: 4
exim: 4.89-3
horde: 5.2.10
linux_kernel: 3.10.0-714.10.2.lve1.4.74.el7.x86_64
mailman: 2.1.23-10
munin: 0
mydns: 0
mysql: '5.6'
mysql_build: 5.6.38-1
nscd: 2.17-317
nsd: 0
openssh: 7.4p1-21
operating_system_name: cloudlinux
operating_system_version: '7.9'
p0f: 3.09b-1
postgresql: 0
postgresql_build: 0
powerdns: 0
proftpd: 0
pureftpd: 1.0.45
roundcube: 1.2.4-1
rsyslog: 8.24.0-57
spamd: 3.4.1
squirrelmail: 2012.12.09-4

 

[cPRex]

Hey there! This definitely sounds like an FTP issue. Is this happening with multiple users and across multiple FTP clients? It sounds like suPHP is behaving as it should, but the file upload is setting the wrong ownership.

If my hunch is correct, this is almost certainly a umask issue, and we have a great thread about that here: SOLVED - Incorrect upload File permissions 664

Can you work through that to see if that resolves the issue?

 

[jrprince]

Thanks cPRex, it does happen with every user, even on accounts with multiple ftp accounts…for several years now, actually.

I agree that it does sound like it should be fixable perhaps by getting FTP to set the group ownership correctly, but umask doesn't affect ownership, it only affects permissions. In this case though, the default permissions are preferable, 755 for directories and 644 for files, as specified in the suphp.conf file (0022 octal).

I'll note that permissions on files/directories created by php running on the server also come out the same way…expected/desired permissions, but ownership is still username:nobody.

It is also still curious that changing paranoid_gid_check does not actually seem to be honored by suPHP behavoir.

I have seen articles on affecting user/group ownership on pure-FTPD through database entries, but that is aimed more at if I were designing a system in which I used the pure-FTPD API to control how it behaved — and maybe that's how cPanel uses it, although by default I don't really have much visibility, or haven't tried to dig into the database behind cPanel to figure out if it's just setting the default group wrong for file-writes on FTP uploads, and I have not been able to find anywhere that I might change something to then change that behavoir.

 

[cPRex]

Sorry for that confusion - you're correct that umask would only apply to permissions.

Can you let me know how you're uploading the files over FTP. Is this happening through a client or through a browser tool?

 

[jrprince]

If uploaded through the File Manager in the cPanel interface, it gets the correct ownership — user and group match.

If uploaded through via FTP, SFTP, or even scp, files get user:nobody.

I'm glad you asked…I'd done a ton of digging thinking that something must be off about pure-ftpd somehow, but couldn't really find anything really relating to this. Getting the same results with scp hints that it's something outside of the service used to upload I think.

 

[cPRex]

Would you be able to submit a ticket to our team? I don't have any other reports of similar behavior that I could find at this time, so it would be best if we could investigate this issue directly on your server.

 

[jrprince]

Sure thing. I agree, if anything similar is out there, I've not been able to filter out enoug noise to find the signal.

 

[cPRex]

If you do get that ticket submitted please post the number here so I can follow along and keep the community updated.

 

[jrprince]

The ticket number is #94226887.

 

[cPRex]

Thanks for that - I'm following along now on my end :D