modification of files created by apache

[samc]

Hello

I'm wondering, what's the best way for me to set up the permissions / setgid / umasks to allow the ftp users to access their files created by apache process (php...)

Files created by apache are owned by apache, permissions 640 with group psacln, so I can not modify those files by ftp

Are there some global ways to handle this ?

Thank you

Plesk 7.5.3 on FreeBSD 5.3

 

[EvolutionCrazy]

plesk 7.5.2 over RHEL 3ES

also in my case files created with functions like move_uploaded_file() get owned by apache:apache

same for dir created with mkdir and any other file created via script!!!!

whose file can't be deleted/removed/overwritten via ftp!!!

how can we fix this?

(the only thing that i've in mind is to create a cronjob that chown all the content of httpdocs every 12hours... but that isn't a fix!!!)

i hope someone from sw-soft can suggest us how to fix this...

 

[atomicturtle]

There are a couple of ways to do this now, suExec gets around this by making the process run as the user, so the files are created in that case as the user (this is in PSA now for cgi apps). suPHP does the same thing for php.

Other options would be to modify your code so that when you create your files they are either:
1) world writable
2) created through ftp, meaning rather than have apache write the file directly to the file system, apache logs in to localhost as the user over ftp to create the file
3) make your code use sudo to change the ownership of the files after the file is created

 

[EvolutionCrazy]

Originally posted by atomicturtle
There are a couple of ways to do this now, suExec gets around this by making the process run as the user, so the files are created in that case as the user (this is in PSA now for cgi apps). suPHP does the same thing for php.

Other options would be to modify your code so that when you create your files they are either:
1) world writable
2) created through ftp, meaning rather than have apache write the file directly to the file system, apache logs in to localhost as the user over ftp to create the file
3) make your code use sudo to change the ownership of the files after the file is created

i'm going to try suphp using this howto:
http://devzone.helixdevelopment.com/content/view/14/28/

i hope it will run ok

thanks atomicturtle

 

[EvolutionCrazy]

Originally posted by atomicturtle
There are a couple of ways to do this now, suExec gets around this by making the process run as the user, so the files are created in that case as the user (this is in PSA now for cgi apps). suPHP does the same thing for php.

Other options would be to modify your code so that when you create your files they are either:
1) world writable
2) created through ftp, meaning rather than have apache write the file directly to the file system, apache logs in to localhost as the user over ftp to create the file
3) make your code use sudo to change the ownership of the files after the file is created

i think that we need also to:

chenge in php.ini
session.save_path = /var/lib/php/session
to
session.save_path = /tmp

as suggested by Jamai here:
http://forum.sw-soft.com/showthread.php?s=&threadid=17369

 

[EvolutionCrazy]

ok, got it working

this is what i've done:

wget http://www.suphp.org/download/suphp-0.5.2.tar
tar -zxvf suphp-0.5.2.tar.gz
cd suphp-0.5.2
./configure --with-prefix=/usr --with-apxs=/usr/sbin/apxs --with-min-uid=0 --with-min-gid=0 --with-apache-user=apache --with-php= /usr/bin/php --with-setid-mode=owner
make
make install
nano /etc/httpd/conf/httpd.conf
CHANGE (BACKUP THE ORIGINAL BEFORE and place in a secure place out from /conf)
LoadModule suphp_module /usr/lib/httpd/modules/mod_suphp.so
TO
LoadModule suphp_module modules/mod_suphp.so
after add
suPHP_Engine On
nano /etc/httpd/conf/httpd.include
in every directory pointing to webmail
before
</Directory>
add
suPHP_Engine off
service httpd restart

that worked fine for me (adding a separated exclusion httpd conf in caused the opening of horde everytime i access to http://myip/ modifying direcly the httpd.include instead worked fine...

after about 2hours of testing i came back to the offiacial page and i've seen that a new release come out 0.6.0

i hope i just need to recompile it and replace the .so file?

nothing other got changed?

 

[EvolutionCrazy]

tried the 0.6.0 without success...

back to 0.5.2

in plesk we need to left php4_module loaded...

that's highly advised against from suPHP dev.... but that the only way to get it working (only version 0.5.2)...

otherwise (disabling php4_module) apache will not start becouse suphp cannot handle php_admin_flag and others php values...


this is how i installed it

wget [url]http://www.suphp.org/download/suphp-0.5.2.tar.gz[/url]

tar -zxvf suphp-0.5.2.tar.gz

cd suphp*

./configure --with-prefix=/usr --with-apxs=/usr/sbin/apxs --with-min-uid=0 --with-min-gid=0 --with-apache-user=apache --with-php=/usr/bin/php --with-setid-mode=owner

make

make install

(BACKUP THE ORIGINAL BEFORE and place in a secure place out from /conf)
nano -w /etc/httpd/conf/httpd.conf

CHANGE
LoadModule suphp_module /usr/lib/httpd/modules/mod_suphp.so
TO
LoadModule suphp_module modules/mod_suphp.so

AFTER ADD

suPHP_Engine On

(BACKUP THE ORIGINAL BEFORE and place in a secure place out from /conf)

nano -w /etc/httpd/conf/httpd.include

in every directory pointing to webmail
BEFORE
</Directory>
ADD
suPHP_Engine off

service httpd restart

now run a chown -R on the directory that have files owned by apache.apache inside and you are done ;)

however i've seen a little increase of server load... i've to investigate but i think that it's generated by the 2 php4 modules that i load with apache.... :/

i've see also some problems with eregi_replace()....

it reports a strange error...

to decrease a little the server load you can set php_admin_flag engine off in the conf/httpd.include inside the domains...

however for now i've removed it to see if the load of the server back to normal ...