Results 1 to 24 of 24
-
05-13-2011, 09:22 PM #1Aspiring Evangelist
- Join Date
- May 2007
- Posts
- 442
Chmod (nobody) write permissions reset after server update
I have a php upload form that allows me to upload images and set them to a folder, works fine.
However, it seems anytime there's a server update, I need to login as root and re-set the permissions to "nobody" - is there something I can do via php or set via server settings to avoid resetting of the write permissions?
-
05-13-2011, 10:34 PM #2Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
Move to a host that doesn't run PHP as "nobody"; running as nobody is highly insecure and leaves your files and passwords readable by others on the server (or those who hack into others accounts). Look for fastCGI, or phpsuexec, or something similar ....
More importantly, if they don't understand why it's important to not run the web server as a single shared user, there's probably other stuff they don't understand ...Last edited by brianoz; 05-13-2011 at 10:40 PM.
-
05-14-2011, 12:56 AM #3Aspiring Evangelist
- Join Date
- May 2007
- Posts
- 442
It's a VPS, I only host my own sites on it.
I have 2 different VPS that have this same problem.
PHP is running as cgi handler; Apache suEXEC is on.
I also have a dedicated server I've tested with a similar setup, the writable permissions don't have the same problem there - not sure what's going on with the VPS'..
Additionally, I know it's insecure but I cannot have a self-signed SSL cert with cpanel without it. The only scripts on the VPS' are ones I've written.Last edited by gpl24; 05-14-2011 at 01:08 AM.
-
05-14-2011, 01:11 AM #4Aspiring Evangelist
- Join Date
- Jun 2003
- Posts
- 367
Edit:
Err what?
I also have a dedicated server I've tested with a similar setup, the writable permissions don't have the same problem there - not sure what's going on with the VPS'..
Additionally, I know it's insecure but I cannot have a self-signed SSL cert with cpanel without it. The only scripts on the VPS' are ones I've written.
WTF do writable permissions have to do with a self-signed certificate?
--Common sense is not so common.
-
05-14-2011, 01:14 AM #5Aspiring Evangelist
- Join Date
- May 2007
- Posts
- 442
If php is not run as cgi, the certs break. That is why suphp is not in use.
-
05-14-2011, 01:21 AM #6Aspiring Evangelist
- Join Date
- Jun 2003
- Posts
- 367
... most likely your messing around in the httpd.conf file or you've been messing about with the permissions on the certificate files.
Hire a competent server admin or contact cPanel regarding the issue. Support comes with your license so whoever gave you your license is the place to contact.
FYI: I've been doing cPanel support for 3 years now. Someone's done something stupid.Common sense is not so common.
-
05-14-2011, 01:27 AM #7Aspiring Evangelist
- Join Date
- May 2007
- Posts
- 442
I don't touch httpd.conf, everything modified is done via WHM, including the self-signed SSLs.
The VPS is managed by KnownHost, as is the other VPS I experience similar problems with. The dedicated I setup in an identical environment was elsewhere and did not experience the same issues.
-
05-14-2011, 01:32 AM #8Aspiring Evangelist
- Join Date
- Jun 2003
- Posts
- 367
Open a ticket. If they can't figure it out they will escalate to cPanel.
I can't troubleshoot this blind and unless someone has had this exact issue nobody else will either.
What do you mean by "the certs break"? that has to be one of the most useless description of a problem I've seen in the last two hours. Almost as bad as "My site doesn't work."Common sense is not so common.
-
05-14-2011, 01:35 AM #9Aspiring Evangelist
- Join Date
- May 2007
- Posts
- 442
Are you going out of your way to insult people and insist they're morons?
unless someone has had this exact issue nobody else will either.
-
05-14-2011, 01:44 AM #10Aspiring Evangelist
- Join Date
- Jun 2003
- Posts
- 367
You asked a question with a vague description and expect a serious answer?
Had you posted something like ....
"When I run php under suPHP I get a certificate mismatch error" or "My browser says connection reset." You probably would have got a decent response.
When you ask a almost useless question you get a answer suitable the skill level I assessed you at. For someone that can't be bothered so write up a detailed description of what they see or even the path to the folder that the permissions are changes.
It's my way of saying your obviously not competent enough or too lazy to troubleshoot the issue yourself. Contact support.
I'm a prick. I know it. I also get the job done.Common sense is not so common.
-
05-14-2011, 01:48 AM #11Aspiring Evangelist
- Join Date
- May 2007
- Posts
- 442
I never asked for any help with my setup - your initial post essentially told me I'm a moron, so I explained to you WHY I had such a setup.
I've been lurking & posting on this board for several years and have gotten loads of help with "vague" questions. Just because you don't understand it doesn't mean there isn't someone else out there with better comprehension skills.
Since your initial post went offtopic on the basis of my question I'm led to believe it is beyond your skill level and you just had to throw your 2cents in there about something you did know about, to make yourself feel smart.
If you have nothing useful to add to my question, please move on.
-
05-14-2011, 02:15 AM #12Aspiring Evangelist
- Join Date
- Jun 2003
- Posts
- 367
I said it sounded like somebody did something stupid.
hehe. Yes, I'm the idiot. That's why you can't get a feature that works out of the box on thousands of cPanel servers to work. I should have guessed.
So just in case you missed the hints in the last few posts. I suggest you either describe the issue your having if you want help.
i.e. WHAT FOLDER ARE YOU TALKING ABOUT?
WHAT ARE THE PERMISSIONS RESET TO?
WHAT ARE YOU CHANGING THE PERMISSIONS TO?
WHAT DO YOU MEAN BY UPGRADE? cPanel/APACHE upgrade or the actual scripts?Common sense is not so common.
-
05-14-2011, 02:30 AM #13Aspiring Evangelist
- Join Date
- May 2007
- Posts
- 442
I said it sounded like somebody did something stupid.
That's why you can't get a feature that works out of the box on thousands of cPanel servers to work. I should have guessed.
WHAT FOLDER ARE YOU TALKING ABOUT?
Does it matter? It's an upload script with php! Do you also need to know what type of photos I'm trying to upload, also?
WHAT ARE THE PERMISSIONS RESET TO?
They are reset to permissions that are un-writable. I'm surprised this wasn't obvious to you.
To be explicit, it's reset to the cpanel username (ie. account owner)
WHAT ARE YOU CHANGING THE PERMISSIONS TO?
Really? I'm surprised you didn't know this, seeing how you told me my host was a moron for allowing php to run as nobody
WHAT DO YOU MEAN BY UPGRADE?
Now, seeing as you crapped on me for being "vague", was it really that difficult to ask for greater detail? Doing so from the start would have been much more helpful than spouting off insults and other useless drivel.
And before it is stated again: Yes, I know how to open a ticket with Knownhost. No I am not lazy. I like to learn. If someone can drop some hints or let me know what they did in a similar situation, I'd learn from a mistake that I (likely) made; if Knownhost go in & do their thing, chances are they won't tell me with enough detail that I'd learn - it isn't their job to teach me or hold my hand when I break stuff. You being a "cpanel support" person, you should know that already.
If I can't find any help either in my research (which I am doing right now, I have another tab open where I'm searching other sites/forums for variations of my problem), OR from here, I WILL contact Knownhost.
And the entire purpose of this forum is for helping eachother - if everyone said "you lazy ****, go ask your host" this entire forum would be utterly useless.
It is well documented how super smart and intelligent you are. Can we please stick to the topic now?
This bantering is probably keeping people away that could help me with my question.
-
05-14-2011, 02:42 AM #14Web Hosting Evangelist
- Join Date
- May 2009
- Location
- London, United Kingdom
- Posts
- 472
Hello,
How are you running PHP? As suPHP, DSO or something else? How is your upload folder chmoded? 777?██ KnownSRV.com - Privacy. Managed. Secure. Guaranteed!
██ Web Hosting | Dedicated Cloud VPS | Dedicated Server
██ YOUR Day and Night, Fully Managed Hosting Solutions with REAL 24/7 Support
-
05-14-2011, 02:45 AM #15Aspiring Evangelist
- Join Date
- Jun 2003
- Posts
- 367
Ok. How you managed to answer those questions without telling me anything useful is hilarious.
The directory location actually does matter because the permissions of the parent folder can come into play. Most likely it's /home/user/public_html
They are reset to permissions that are un-writable. I'm surprised this wasn't obvious to you.
To be explicit, it's reset to the cpanel username (ie. account owner)
paste the output of ls -la
Edit: Actually, I just re-read this. Your running something like
chown -R nobody: /home/user/public_html
If so that's your problem. The owner should NOT be nobody.
php uploads & chmodding work out-of-the box? If that were true, there wouldn't be so many topics on similar forums with an over-abundance of varied questions.
Really? I'm surprised you didn't know this, seeing how you told me my host was a moron for allowing php to run as nobody
Apache upgrade
If you look at my responses in the past you'll see when there is actually useful information in the post I do provide detailed instructions.Common sense is not so common.
-
05-14-2011, 03:00 AM #16Aspiring Evangelist
- Join Date
- Jun 2003
- Posts
- 367
This should fix the ownership and permissions if that's what you've been doing.
Code:chown -R ${USER} /home/${USER}/public_html find /home/${USER}/public_html -type f -iname '*.php' -exec chmod 664 {} \; find /home/${USER}/public_html -type d -exec chmod 775 {} \;
Common sense is not so common.
-
05-14-2011, 02:48 PM #17Aspiring Evangelist
- Join Date
- May 2007
- Posts
- 442
How are you running PHP? As suPHP, DSO or something else? How is your upload folder chmoded? 777?
Ok. How you managed to answer those questions without telling me anything useful is hilarious.
"You asked a question with a vague description and expect a serious answer?" ...............
The directory location actually does matter because the permissions of the parent folder can come into play. Most likely it's /home/user/public_html
"images" being the problem: it works fine once I change permissions to "nobody" - as soon as Apache updates, the permissions are re-assigned to my cpanel username thus breaking my script until I go in and manually change the permissions back to "nobody"
I asked about permissions. Not just the ownership of the folder. unwritable for who? user, group, or other? All three?
Unwritable for everyone, except nobody.
paste the output of ls -laCode:root@server [~]# ls -la total 172 drwxr-x--- 13 root root 4096 May 14 11:53 ./ drwxr-xr-x 22 root root 4096 May 11 07:58 ../ -rw------- 1 root root 957 Apr 7 21:15 .accesshash -rw------- 1 root root 3638 Apr 29 01:48 .bash_history -rw-r--r-- 1 root root 24 Jan 6 2007 .bash_logout -rw-r--r-- 1 root root 191 Jan 6 2007 .bash_profile -rw-r--r-- 1 root root 176 Jan 6 2007 .bashrc drwxr-xr-x 3 root root 4096 Feb 7 14:44 .cpanel/ drwxr-xr-x 4 root root 4096 Feb 7 14:44 cpanel3-skel/ drwx------ 7 root root 4096 Apr 9 11:56 .cpobjcache/ -rw-r--r-- 1 root root 100 Jan 6 2007 .cshrc -rw-r--r-- 1 root root 46294 Apr 11 16:24 exim.conf -rw-r--r-- 1 root root 26257 Apr 11 16:24 exim.pl -rw-r--r-- 1 root root 26 Apr 12 15:04 .forward drwx------ 2 root root 4096 Apr 8 11:55 .gnupg/ drwx------ 2 root root 4096 Feb 7 15:46 .HttpRequest/ drwx------ 4 root root 4096 Feb 7 14:44 .MirrorSearch/ -rw------- 1 root root 41 Apr 7 21:15 .my.cnf -rw-r--r-- 1 root root 264 Apr 17 20:56 .pearrc drwxr-xr-x 2 root root 4096 Feb 8 09:55 public_ftp/ drwxr-xr-x 3 root root 4096 Feb 7 14:44 public_html/ -rw------- 1 root root 1024 Apr 28 21:27 .rnd drwx------ 3 root root 4096 Feb 7 14:44 .spamassassin/ drwx------ 2 root root 4096 Sep 2 2010 .ssh/ -rw-r--r-- 1 root root 129 Jan 6 2007 .tcshrc drwxr-xr-x 3 root root 4096 Apr 8 11:59 tmp/
Edit: Actually, I just re-read this. Your running something like
chown -R nobody: /home/user/public_html
If so that's your problem. The owner should NOT be nobody.
This is because most people are morons and don't take 10 minutes to actually understand UNIX permissions. To be fair most of the techs I work with don't understand them either.
I never actually said that. I do think you are an idiot for doing it though so I suppose I'm guilty as charged.
This should fix the ownership and permissions if that's what you've been doing.
This line:
chown -R ${USER} /home/${USER}/public_html
Would make owner ship of my cpanel username recursive, correct; I assume that means the permissions would copy to every file & folder contained?
While doing so, the write permissions would be disabled. Only "nobody" can write to these folders; which (if I am not mistaken) is due to my current setup of php running as cgi. If I change them to my cpanel username (which I can easily do via SFTP by right-clicking, I would essentially disable the upload abilities.
Correct me if I misunderstood your command.
-
05-14-2011, 04:08 PM #18Aspiring Evangelist
- Join Date
- May 2007
- Posts
- 442
While playing around with 1 of the VPS', I deleted the self-signed cert, assigned a dedicated IP to the only domain on this box.
I re-generated the cert and instead of assigning the cert to "nobody" as I did before, I assigned it to the cpanel username; all directories became unwritable that were registered to "nobody" - so I changed the permissions to my cpanel username. I can now write to them under my cpanel username. That should solve the Apache update issue for this VPS.
So basically, this is my problem that I couldn't figure out how to word properly:
- ssl cert is self-signed, assigned to "nobody"
- my upload script is running under https, meaning: I can only upload through this form if "nobody" is the folder owner.
- when apache updates, the "nobody" folders are re-assigned to my cpanel username.
My problem with VPS #1 is solved, but on VPS #2, I have 2 domains/completely different sites so I'm wondering if this is solvable without having to lose the self-signed cert for 1 of the domains.
-
05-14-2011, 08:25 PM #19Aspiring Evangelist
- Join Date
- Jun 2003
- Posts
- 367
The command recursively sets the owner of the files and folders to your user name. replace ${USER} with the user name.
The SSL ownership has nothing to do with the file permissions.
cPanel's easyApache is reverting the permissions because they are not correct.
The owner should be the cPanel user name and the group should by nobody. That's why you want the permissions at 664 and 774.
I was looking of the output of:
ls -la /home/${USER}/public_html/
Just because it's only your sites and scripts doesn't make it any better. It's still a bad idea.
Do you really just type in commands without really understanding what they do? You should never run command without understand exactly what it does.
Code:USER="myuser" # change the owner to ${USER} and the group to nobody. chown -R ${USER}:nobody /home/${USER}/public_html # give read, write permissions to owner and group. read to everyone else. find /home/${USER}/public_html -type f -iname '*.php' -exec chmod 664 {} \; # give read, write, and execute to owner and group. give read and execute to everyone else. find /home/${USER}/public_html -type d -exec chmod 775 {} \;
2^0 = 1 = execute
2^1 = 2 = write
2^2 = 4 = read
read + write + read = 1 + 2 + 4 = 7
read + write = 4 + 2 = 6
read + execute = 5Common sense is not so common.
-
05-16-2011, 03:49 AM #20Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
The reason why changing ownership of everything to nobody is a Really Bad Idea(TM) is that every other user on your shared host will have access to read, write and change your website. That's bad.
You should run, not walk, to a host that doesn't run PHP scripts as nobody. For similar reasons, that's highly insecure.
-
05-16-2011, 10:37 PM #21Aspiring Evangelist
- Join Date
- May 2007
- Posts
- 442
The owner should be the cPanel user name and the group should by nobody. That's why you want the permissions at 664 and 774.
Do you really just type in commands without really understanding what they do? You should never run command without understand exactly what it does.
brianoz - It is evident you didn't read any of the posts in this topic before replying!
-
05-16-2011, 11:14 PM #22Aspiring Evangelist
- Join Date
- Jun 2003
- Posts
- 367
Booze!
Seriously though. You should fix suPHP.
Shared SSL certificates work with suPHP. We use both on all our servers.Common sense is not so common.
-
05-16-2011, 11:23 PM #23Aspiring Evangelist
- Join Date
- May 2007
- Posts
- 442
I got suphp working on the first VPS, I just reinstalled the cert under the cpanel username & changed permissions. Works just like before, except under better security.
The 2nd server I will attempt the same, just need to make sure traffic is low when I try it. Thanks for the help.
-
05-18-2011, 03:40 AM #24Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
No doubt (there was a lot of fluff); but my points are still valid.
Even if it's only your sites, breaking into one site would give access to all the others, so well done for getting suphp going. Remember there are faster alternatives that give the same security, so if performance becomes an issue check into fastcgi and MPM worker etc.
Similar Threads
-
DA giving prob with chmod permissions
By koolnhot in forum Programming DiscussionReplies: 8Last Post: 06-23-2010, 12:38 PM -
setting chmod/file permissions on ws03
By mr360solutions in forum Dedicated ServerReplies: 0Last Post: 12-01-2004, 04:51 PM -
CHMOD Permissions
By stripeyteapot in forum Web HostingReplies: 6Last Post: 09-08-2004, 10:40 AM -
CHMOD permissions
By kaboomski in forum Web HostingReplies: 5Last Post: 08-26-2002, 10:15 PM -
How do I reset all the permissions
By certify in forum Hosting Security and TechnologyReplies: 4Last Post: 08-04-2001, 10:33 AM