LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-01-2013, 11:36 AM   #1
drask
LQ Newbie
 
Registered: May 2005
Location: Lewisburg, WV
Distribution: Debian Centos
Posts: 8
Blog Entries: 16

Rep: Reputation: 0
Apache ACLs for uploaded files in Drupal 6 on CentOS 5


This is really a permissions issue, I hope this is the right forum.

I have a webserver set up with CentOS 5 and am using ACLs to allow write access to all files in a particular directory to users in the webmasters group, but something appears to be stripping my ACL permissions off when uploading files through the webserver.

I have set the command
setfacl -m d:g:webmasters:rwx .

on the directory. If I touch test.txt and run ls -l, I see
-rw-rw-r--+ 1 drask drask 0 test.txt

and the ACL's are set correctly when I run getfacl:
# file: test.txt
# owner: drask
# group: drask
user::rw-
group::rwx # effective rw-
group:webmasters:rwx #effective rw-
mask::rwx
other::r--

however, if I upload a file (webserver_test.txt) through drupal and ls -l, I get:
-rw-rw-r-- 1 apache apache 0 webserver_test.txt
-rw-rw-r--+ 1 drask drask 0 test.txt

(notice the missing '+' on the first line) and if I do getfacl on webserver_text.txt, I get:
# file: webserver_test.txt
# owner: apache
# group: apache
user::rw-
group::rw-
other::r--

So it has no acl's set, and people in my webserver group can't modify the file.

If I do:
sudo su -s /bin/sh apache -c "touch apache_test.txt"

the new file shows up as:
-rw-rw-r--+ 1 apache apache 0 apache_test.txt

and has the ACL's I need set. So there is something odd about the webserver, Drupal 6, php, or something that is stripping the ACL's off of uploaded files.

Anybody have any similar experience or know of a workaround?

Please don't suggest adding all the members of the webmasters group to the apache group, that won't work for me for technical reasons I'm not getting into right now, and I really want these ACL's to work correctly.

Much Thanks!

Last edited by drask; 04-01-2013 at 04:08 PM.
 
Old 04-01-2013, 12:38 PM   #2
vishesh
Member
 
Registered: Feb 2008
Distribution: Fedora,RHEL,Ubuntu
Posts: 661

Rep: Reputation: 66
Hopefully you have selinux off . It seems that file uploading taking place via the user which have some right issue . by which user website is running , I mean to say if suexec can be used here


Thanks
 
Old 04-01-2013, 01:48 PM   #3
drask
LQ Newbie
 
Registered: May 2005
Location: Lewisburg, WV
Distribution: Debian Centos
Posts: 8
Blog Entries: 16

Original Poster
Rep: Reputation: 0
After thinking about it over lunch, I suspect what is happening is that the file is being created somewhere else, like /tmp, and then being moved into the directory when uploaded via drupal. I attempted the experiment of

$ sudo su -s /bin/sh apache -c "touch /tmp/newtest.txt; mv /tmp/newtest.txt ."

and that produced the result of

-rw-rw-r-- 1 apache apache 0 newtest.txt
(missing plus after permissions means no ACLs set)

So I guess the key is to figure out where drupal is creating the file and set my ACLs there.

Last edited by drask; 04-01-2013 at 04:09 PM.
 
Old 04-02-2013, 02:26 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Quote:
Originally Posted by vishesh View Post
Hopefully you have selinux off .
Please don't. Without properly diagnosing this situation first such "advice" is of no value.
 
  


Reply

Tags
apache


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Installing ssl certificate in CentOS 6.3 Apache & Drupal rhbegin Linux - Desktop 2 07-27-2012 04:38 PM
[SOLVED] ACLs work on my CentOS server without enabling on the file system as documented m223464 Linux - Security 9 03-19-2012 12:12 AM
Drupal installed on CentOS 6.2 with Apache (permissions problem) rhbegin Linux - Server 38 02-04-2012 01:08 AM
Filter uploaded files shafey Linux - Server 0 03-06-2008 01:14 AM
Regarding default uploaded file permission in apache chandramani Linux - General 0 03-23-2006 10:11 AM


All times are GMT -5. The time now is 10:32 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration