-   Linux - Security (
-   -   Apache ACLs for uploaded files in Drupal 6 on CentOS 5 (

drask 04-01-2013 11:36 AM

Apache ACLs for uploaded files in Drupal 6 on CentOS 5
This is really a permissions issue, I hope this is the right forum.

I have a webserver set up with CentOS 5 and am using ACLs to allow write access to all files in a particular directory to users in the webmasters group, but something appears to be stripping my ACL permissions off when uploading files through the webserver.

I have set the command
setfacl -m d:g:webmasters:rwx .

on the directory. If I touch test.txt and run ls -l, I see
-rw-rw-r--+ 1 drask drask 0 test.txt

and the ACL's are set correctly when I run getfacl:
# file: test.txt
# owner: drask
# group: drask
group::rwx # effective rw-
group:webmasters:rwx #effective rw-

however, if I upload a file (webserver_test.txt) through drupal and ls -l, I get:
-rw-rw-r-- 1 apache apache 0 webserver_test.txt
-rw-rw-r--+ 1 drask drask 0 test.txt

(notice the missing '+' on the first line) and if I do getfacl on webserver_text.txt, I get:
# file: webserver_test.txt
# owner: apache
# group: apache

So it has no acl's set, and people in my webserver group can't modify the file.

If I do:
sudo su -s /bin/sh apache -c "touch apache_test.txt"

the new file shows up as:
-rw-rw-r--+ 1 apache apache 0 apache_test.txt

and has the ACL's I need set. So there is something odd about the webserver, Drupal 6, php, or something that is stripping the ACL's off of uploaded files.

Anybody have any similar experience or know of a workaround?

Please don't suggest adding all the members of the webmasters group to the apache group, that won't work for me for technical reasons I'm not getting into right now, and I really want these ACL's to work correctly.

Much Thanks!

vishesh 04-01-2013 12:38 PM

Hopefully you have selinux off . It seems that file uploading taking place via the user which have some right issue . by which user website is running , I mean to say if suexec can be used here


drask 04-01-2013 01:48 PM

After thinking about it over lunch, I suspect what is happening is that the file is being created somewhere else, like /tmp, and then being moved into the directory when uploaded via drupal. I attempted the experiment of

$ sudo su -s /bin/sh apache -c "touch /tmp/newtest.txt; mv /tmp/newtest.txt ."

and that produced the result of

-rw-rw-r-- 1 apache apache 0 newtest.txt
(missing plus after permissions means no ACLs set)

So I guess the key is to figure out where drupal is creating the file and set my ACLs there.

unSpawn 04-02-2013 02:26 AM


Originally Posted by vishesh (Post 4922862)
Hopefully you have selinux off .

Please don't. Without properly diagnosing this situation first such "advice" is of no value.

All times are GMT -5. The time now is 01:19 AM.