Topic: PHP execution broken when trying to config for file upload.

[arne]

I have installed phproject to one of my sme boxes. (SME 7.0 server only)

It were originaly not able to upload files wia web due to security restrictions in the PHP setup (I belive.)

This is, I think, an old and very well known problem from at least SME 5.2 and SME 6.0.1, and also before that, I believe.

During the years I have used a fix from this problem using an old and rather historical e-smith faq:

<qoute>

PHP applications running in i-bays can only access files within the same i-bay. Is there a way that the administrator can relax this restriction?
Yes. The administrator can change the PHP Base Directory by executing the following commands (as root):


/sbin/e-smith/db accounts setprop your_i-bay_name PHPBaseDir /
/sbin/e-smith/signal-event ibay-modify your_i-bay_name

Note that the PHPBaseDir argument can be more restrictive than the example shown above. For example PHPBaseDir can also be '/home/e-smith/files/'.

<unquote>

Well, I now tried this procedure on the SME 7.0 as well with a bit less success.

First the web server crashed completely. I then made a new basic configuration og the server (logging in via ssh as admin).

The web server came back but it is now anly capable of handeling .html pages. None php pages works.

Any ideas how to come back to the original setup or to fix the php upload problem ?

Any suggestions will be apreciated  

Best reg Arne

[judgej]

phprojekt - yet another project that has never heard of move_uploaded_file(), and prefers for admins to losen up the security on their servers.

http://us2.php.net/manual/en/function.move-uploaded-file.php

You may wish to raise it as a bug.

-- JJ

[arne]

Correction:

The php fuction appears to work for the virtual domains but not for the Primary domain or subfolders. I dont know if the upload function works.

I have looked trough the custom templates and can not find any changes.

The commands I used were like this:

/sbin/e-smith/db accounts setprop Primary PHPBaseDir /
/sbin/e-smith/signal-event ibay-modify Primary

For the old SME 6.x this worked in the way that all restrictions for uploading files via php disapeared. For the SME 7.0 it looks like the effect is a bit different.

One thing I am wondering about is: If I made a backup and a restore will the backup restore still contain the modification ?? (I believe in the SME 6.x  it did, even though there were no entries in the custom templates. Could be I have an incorrect memory about this.)

[arne]

->judgej

Thanks for your info. I did not see it when I was writing/testing my server.

I guess that the function you refer to does not use the /tmp folder like that the phproject does ?

Arne

[judgej]

->judgej

Thanks for your info. I did not see it when I was writing/testing my server.

I guess that the function you refer to does not use the /tmp folder like that the phproject does ?

Arne

It does use the /tmp folder, but it does so in a way that bypasses the directory restrictions. It also has extra safeguards in it ensuring it cannot be hijacked to copy other files, such as /etc/passwd to a web-accessible location, something that phprojekt has been renouned for in the past.

-- JJ

[arne]

Hmm .. The old upload method does not work any more, I think.

On the other hand I saved all my files and php applications under Primary by just copying them all over to a new i-bay.

phproject is an extremely good application, so I will try to solve the problem with the upload function in one way or the other.

Just don't know how yet .. ( .. modifying the phproject code might be an alternative ..)

Arne

[arne]

Found this one ..

http://forums.contribs.org/index.php?topic=34615.0

Have not solved the problem.

[william_syd]

Correction:

The php fuction appears to work for the virtual domains but not for the Primary domain or subfolders. I dont know if the upload function works.

I have looked trough the custom templates and can not find any changes.

The commands I used were like this:

/sbin/e-smith/db accounts setprop Primary PHPBaseDir /
/sbin/e-smith/signal-event ibay-modify Primary

For the old SME 6.x this worked in the way that all restrictions for uploading files via php disapeared. For the SME 7.0 it looks like the effect is a bit different.

One thing I am wondering about is: If I made a backup and a restore will the backup restore still contain the modification ?? (I believe in the SME 6.x  it did, even though there were no entries in the custom templates. Could be I have an incorrect memory about this.)

To go back to original..

Code: [Select]

/sbin/e-smith/db accounts delprop Primary PHPBaseDir
/sbin/e-smith/signal-event ibay-modify Primary

What may get you going..

Code: [Select]

/sbin/e-smith/db accounts setprop Primary PHPBaseDir /home/e-smith/files/ibays/Primary/: /tmp
/sbin/e-smith/signal-event ibay-modify Primary

[arne]

I'm impressed ! It worked. The web is full of the old solution here and there, but the only place I have seen the new solution is here in this tread.

One stange thing was that I also had to change the security setting of the phproject upload folder. I now use 775. I had it more restrictive under sme 6.0.1

Until now I have just testet the upload in subfolders of the Primary ibay.

Thanks a lot  

Arne

[arne]

A small correction again ..

It is the upload to other i-bays than Primary that works. Upload to subfolders of Primary seems not to work. (I think that is not a problem at all.) (And the other i-bays than Primary is accessed as virtually domains.)

To mention it again, I had to set the permisions of the opload folder a little bit different from the sme 6.0.1. This time I use 775

Arne

[arne]

Upload function tested with Windows XP / Explorer And Linux / Konqueror / Opera http ans https. Everything worked just fine.

Great !      

Thanks again !

Arne

[william_syd]

I thought I would have a play...

Download and extract all the files to /opt/phpproject

Code: [Select]

chown www:www -R /opt/phpproject

Make a file.. 86phpproject
Contents...

Code: [Select]


# phpproject
Alias /phpproject /opt/phpproject
<Directory /opt/phpproject>
    SSLRequireSSL on
    Options -Indexes
    AllowOverride None
    order deny,allow
    deny from all
    allow from all
    Satisfy all
    AddType application/x-httpd-php .php .php3
    php_flag  magic_quotes_gpc  on
    php_flag  track_vars        on
</Directory>




and copy it to /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf

Code: [Select]

expand-template /etc/httpd/conf/httpd.conf
svc -t /service/httpd-e-smith

Make a empty mysql db and user

Goto
https://server/phpproject

File uploads appear to work.

https://secure.magicwilly.info/phpproject
arne/arne

And open_basedir is not set...
https://secure.magicwilly.info/phpproject/index2.php