The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

suPHP and permission problems

Discussion in 'General Discussion' started by Troikos, Jan 8, 2010.

  1. Troikos

    Troikos Registered

    Joined:
    Jan 8, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Hi all, I'm hoping you can bestow some of your knowledge on me.

    I have recently enabled suPHP using easyapache. Everything went well and it built and started with no problems. PHP was being executed under the proper user names.

    I came across a problem where PHP was not applying the nobody group to files that it created. Obviously this prevented apache from accessing the files once they were created (uploaded files from a php script, etc.).

    I set the primary group of each of the user accounts to be nobody and rebuilt httpd.conf using cPanel. Everything is working perfectly now.

    My problem is when I create new user accounts. Is there any way to set cPanel to assign the nobody user group to new users and prevent me from having to manually do it each time I add an account?

    Or is there a better way for allowing apache to access files/folders that php creates under the user accounts without having to add them to the nobody group?

    Thanks for the help!
     
  2. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Without knowing specifics, it sounds like it's working as it should, but there's not a lot of doco out there on this so I'm not surprised you're confused.

    Under suphp, files and directories should be owned by the user and group of the user, not nobody under any circumstances. Likewise, when files are created under suPHP they should also be owned by the user specific user and group, not nobody.

    Access for Apache/nobody is provided by public_html being group nobody, mode 750 ie with read to group. This allows Apache the access it needs. Subdirectories and files should be mode 755 and owned by the users user-id and group, which allows access to nobody.

    This is a relatively simple method which allows everyone to be happy; the only (slight) disadvantage is that it breaks horribly if public_html doesn't have group nobody ownership. Note that public_html should NOT be owned by nobody, it must be owned by the user's user-id for this to work.

    There's a command to fix this - yes - it's /scripts/chownpublichtmls - run that with no args and you should be fine:

    Code:
    /scripts/chownpublichtmls
    To make it really clear, you could also fix it with a script like:

    Code:
    cd /home
    for user in *
    do
       chown -R $user:$user $user
       chown $user:nobody $user/public_html
    done
    
    The above script's a little loose (it will also do non-cPanel users), so you're safer using the supplied chownpublichtmls script, but you get the idea.
     
    #2 brianoz, Jan 9, 2010
    Last edited: Jan 9, 2010
  3. Troikos

    Troikos Registered

    Joined:
    Jan 8, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the reply.

    suPHP is indeed working as it should.

    My concern is that any time I create a new user account I need to set the user's group to be nobody (so that suphp will set the group on any files it makes to nobody so apache can access them) and edit the suphp directives in httpd.conf.

    My question is this:

    Is there any way to get cpanel to assign a primary group to a user when it makes the account. Once the user is assigned a primary group, cpanel generates the proper suphp directives in httpd.conf for me.

    I'm relatively new to cpanel but does it run a specific script for adding the user account that I could modify to also assign a primary group to the user?
     
  4. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    The permissions part should just work out of the box without fiddling.

    There's no need to set the files to nobody so Apache can access them as Apache doesn't need the files to be owned by nobody for them to be accessable. That's why the files are 644 or rw-r--r-- - that is, they're readable to everyone including Apache. As mentioned above, access control is enforced via the permissions on the public_html directory.

    If you have a PHP script creating files, it will do so under the user's uid and gid and you should ensure that files and directories created have the world read bit set (ie mode 755 for directories and mode 644 for files). You'll only need to worry about this if these files are .html or .htm and are directly accessed by apache, which is unusual.

    Hopefully that's making sense?
     
    #4 brianoz, Jan 10, 2010
    Last edited: Jan 10, 2010
  5. Troikos

    Troikos Registered

    Joined:
    Jan 8, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Ok, that makes sense.

    I checked the permissions on the files that were being created and they were set to 640 (rw-r-----) which I guess would explain why apache wasn't able to open them until I set suphp to assign them as the nobody group. How would I go about making sure that PHP is setting the permissions to be 644 when it creates files?

    [EDIT]

    I thought I should add that the umask setting is set to 0022 in suphp.conf
     
    #5 Troikos, Jan 10, 2010
    Last edited: Jan 11, 2010
  6. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Strange; the default should be 644. The umask denotes bits to turn off in the default permissions, that is the write bits, ie -w- -w- = 2 2, where r=4, w=2 and x=1.

    In Unix, the permissions of a newly created file are a product of the permissions handed to the open call which are then masked by the active umask. I'd check both the call that creates the file, and verify the umask at the time. It's possible the files are being created mode 660 with the function doing the creating, or that the umask is being modified to be 027. When you check the umask, grab the value in PHP just before the file is created so you can be sure you have the final value.
     
Loading...

Share This Page