I just installed SMF 2RC3 and trying to install SimpleDesk 1.0 Felidae mod.
The package manager says the mod was installed successfully but it really did not.
I created a temp folder and chmod it to 777 before executing the install, I run the fix_ownership.php and used the same forum path on the package manager ftp options. I manually chmod the forum folder to 777 and all subdirectories.
But still does not work.
The first two error logs for this installation are:
coneco
192.168.0.203
Today at 11:54:55 am
488cd4f714e3469c3d46c8c39608834c
Type of error: General
hxxp://conecosrv2v1/forum/index.php?action=admin;area=packages;sa=install2;package=simpledesk-1.0-felidae.tar.gz;pid=02: file_get_contents(/usr/share/joomla15/forum/Packages/temp/language-php/SimpleDesk.english.php) [<a href='function.file-get-contents'>function.file-get-contents</a>]: failed to open stream: No such file or directoryFile: /usr/share/joomla15/forum/Sources/Subs-Package.php
Line: 2418
coneco
192.168.0.203
Today at 11:54:42 am
488cd4f714e3469c3d46c8c39608834c
Type of error: Undefined
hxxp://conecosrv2v1/forum/index.php?action=admin;area=packages;sa=install;package=simpledesk-1.0-felidae.tar.gz8: Undefined index: package_readmeFile: /usr/share/joomla15/forum/Sources/Packages.php
Line: 365
added a .htaccess file at the SMF forum root folder as this:
-----------------------------------------------------
<Files *>
Order Allow,Deny
Allow from all
</Files>
-----------------------------------------------------
Now the package manager can write to the folders because the *.tar.gz was extracted successfully to the Sources folder.
But still can't execute the *.php
The first three errors in the log are:
coneco
192.168.0.203
May 04, 2010, 03:20:43 pm
f1a7b16bc83422746f3cb59e4cb48352
Type of error: Undefined
hxxp://conecosrv2v1/forum/index.php?action=admin;area=packages;sa=install2;package=simpledesk-1.0-felidae.tar.gz;pid=08: Undefined index: theme
File: /usr/share/joomla15/forum/Sources/Packages.php
Line: 935
coneco
192.168.0.203
May 04, 2010, 03:20:43 pm
f1a7b16bc83422746f3cb59e4cb48352
Type of error: General
hxxp://conecosrv2v1/forum/index.php?action=admin;area=packages;sa=install2;package=simpledesk-1.0-felidae.tar.gz;pid=02: fopen(/usr/share/joomla15/forum/Sources/Admin.php) [<a href='function.fopen'>function.fopen</a>]: failed to open stream: Operation not permitted
File: /usr/share/joomla15/forum/Sources/Subs-Package.php
Line: 2513
coneco
192.168.0.203
May 04, 2010, 03:20:43 pm
f1a7b16bc83422746f3cb59e4cb48352
Type of error: General
hxxp://conecosrv2v1/forum/index.php?action=admin;area=packages;sa=install2;package=simpledesk-1.0-felidae.tar.gz;pid=02: fwrite(): supplied argument is not a valid stream resource
File: /usr/share/joomla15/forum/Sources/Subs-Package.php
Line: 2514
As I said on sm.org where this was first posted, check out the file permissions, whether something like Suhosin is installed, and whether fopen has been disabled by php.ini.
Quote from: Arantor on May 06, 2010, 12:35:52 PM
As I said on sm.org where this was first posted, check out the file permissions, whether something like Suhosin is installed, and whether fopen has been disabled by php.ini.
Here is my phpinfo.php output and the system php.ini
I see Suhosin in the phpinfo but is for the ssl modules. I do not see fopen has been disable by php.ini
I am new with Apache and PHP.
OK, I agree with you; fopen isn't disabled.
However, suhosin prevents anything with 777 permissions going ahead.
What other permissions have you tried?
Quote from: Arantor on May 06, 2010, 01:47:49 PM
OK, I agree with you; fopen isn't disabled.
However, suhosin prevents anything with 777 permissions going ahead.
What other permissions have you tried?
I have not try any other permissions. But how do you know Suhosin is installed and acting over PHP? Is there a way to generate an error log somewhere?
And any case which permissions should I try. Folders and files are chown root:root
The fact it says right up at the top that it's hardened by Suhosin is the giveaway.
Suhosin is a PHP patch that adds additional security measures.
Try setting files to 755 and folders to 644, and make sure the owner isn't root (that's usually a bad idea in any case)
Quote from: Arantor on May 06, 2010, 02:34:19 PM
The fact it says right up at the top that it's hardened by Suhosin is the giveaway.
Suhosin is a PHP patch that adds additional security measures.
Try setting files to 755 and folders to 644, and make sure the owner isn't root (that's usually a bad idea in any case)
Should I chown www-data:www-data forum -R?
Assuming www-data is the Apache user it should be safe to do so.
Quote from: Arantor on May 06, 2010, 02:42:44 PM
Assuming www-data is the Apache user it should be safe to do so.
OK. I will try the chown www-data:www-data forum -R and chmod 755, chmod 644.
This may take some time.
When done, I will post the results
Quote from: Arantor on May 06, 2010, 02:34:19 PM
The fact it says right up at the top that it's hardened by Suhosin is the giveaway.
Suhosin is a PHP patch that adds additional security measures.
Try setting files to 755 and folders to 644, and make sure the owner isn't root (that's usually a bad idea in any case)
I manage to change all folders including the forum root to 0644, and all files within all folders/subfolders to 0755.
Also I chown all files and folders (forum branch, including root folder) www-data:www-data
Now the forum page produces a single line message page:
Unable to load Themes/default/index.template.php!
What user is your web server running is? Is it *definitely* running as www-data?
Quote from: Arantor on May 06, 2010, 04:55:34 PM
What user is your web server running is? Is it *definitely* running as www-data?
root@conecosrv2v1:/# ps -ef |grep apache
root 20630 1 0 May03 ? 00:00:32 /usr/sbin/apache2 -k start
www-data 20632 20630 0 May03 ? 00:00:12 /usr/sbin/apache2 -k start
www-data 21824 20630 0 May04 ? 00:00:04 /usr/sbin/apache2 -k start
www-data 22033 20630 0 May04 ? 00:00:07 /usr/sbin/apache2 -k start
www-data 22236 20630 0 May04 ? 00:00:01 /usr/sbin/apache2 -k start
www-data 23878 20630 0 14:07 ? 00:00:05 /usr/sbin/apache2 -k start
www-data 23891 20630 0 14:11 ? 00:00:01 /usr/sbin/apache2 -k start
www-data 23946 20630 0 14:39 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 23949 20630 0 14:39 ? 00:00:01 /usr/sbin/apache2 -k start
www-data 23979 20630 0 14:48 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 23988 20630 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start
root 24012 23896 0 16:06 pts/0 00:00:00 grep apache
Including my apache configuration file
What if I add the www-data user to the root group?
Then I put back the folders/files to chown root:root
This way all the Apache instances will have write access to the folders/files
(The root Instance and the www-data instances)
Quote from: jetberrocal on May 10, 2010, 03:34:39 PM
What if I add the www-data user to the root group?
Then I put back the folders/files to chown root:root
This way all the Apache instances will have write access to the folders/files
(The root Instance and the www-data instances)
I tried this with chmod 0775 on all folders/files but system says the folders are not writable.
Like the user www-data is not recognized as part of the root group
I don't get why you have things running as root.
Here's why: if the web files are owned by root, the webserver pretty much as to run as root. Now let's say Apache has a vulnerability - it does happen. Now your ENTIRE SERVER can be compromised.
Quote from: Arantor on May 10, 2010, 04:22:13 PM
I don't get why you have things running as root.
Here's why: if the web files are owned by root, the webserver pretty much as to run as root. Now let's say Apache has a vulnerability - it does happen. Now your ENTIRE SERVER can be compromised.
Apache server starts at boot one instance that opens and binds the port 80 which is a root port, then answers requests opening instances under www-data. I think this is the default behavior. That is why the ps -ef output shows Apache2 running under root and the others running under www-data.
I do not know how to make it start all instances under www-data, binding Apache to port 80 at boot.
How do you do it?
That's how I have it; root is required to open port 80. What was concerning me is that if the files Apache is accessing are owned by root, all the *children* normally have to be root too, not www-data, which suggested to me the forking and reassigning of user id weren't happening.
Quote from: Arantor on May 10, 2010, 06:38:20 PM
That's how I have it; root is required to open port 80. What was concerning me is that if the files Apache is accessing are owned by root, all the *children* normally have to be root too, not www-data, which suggested to me the forking and reassigning of user id weren't happening.
On the internet, I saw there is a umask, setgid and setid configurations besides the chmod and chown basic stuff.
What is your forum folders/files setting, so I can make mine the same.
I know that setgid and setid can be set with chmod, but I do not know how to set the umask.
Eureka!!!
Found at least one security scheme that works.
- Change the ownership of everything under /user/share/joomla15/forum to www-data:root :
chown -R www-data:root /user/share/joomla15/forum ## -R = recursive
Change the permissions of all the folders to 2775:
chmod 2775 /user/share/joomla15/forum -R ## 2=set group id, Note that the forum root folder chmod is 775 not 755
OR
find /usr/share/joomla15/forum -type d -exec chmod 2755 {} \; ## Selective to only the folders, Note that subfolder are 755
Change all the files to 0664:
find /usr/share/joomla15/forum -type f -exec chmod 0664 {} \; ## Selective to only the files
Change the umask for your users to 0002:
The umask controls the default file creation permissions, 0002 means files will have 664 and directories 775. Setting this (by editing the umask line at the bottom of /etc/profile in my case) means files created by www-data will be writable by other users in the root-group without needing to chmod them. Usually the system default is 0022.
Reboot the system to make the umask setting to take effect, if changed.
Now install the mod as usual, and activate (Core Features should add the SD (SimpleDesk) Icon/Settings)
Thank you (Arantor) for your Help,
Jose