FC3 install, ImageMagick creates thumbs owned by user apache FC3 install, ImageMagick creates thumbs owned by user apache
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

FC3 install, ImageMagick creates thumbs owned by user apache

Started by TheOhmster, June 26, 2005, 08:17:39 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

TheOhmster

I have Coppermine 1.3.3 installed and love it, this is my second install of Coppermine. The system is a home Fedora Core install online via always on ADSL connection with a FQND. I run httpd-2.0.52-3.1 (apache), ImageMagick-6.2.2.0-2.fc3, php-4.3.11-2.5, mysql-3.23.58-16.FC3.1. My previous install on Redhat 9 with GD worked perfectly for so long. I had to take down that server because the system got compromised by spammers who got in through apache somehow, might have been because of an early version of phpbb2 so I wiped the system and installed FC3 and am not using phpbb2 anymore. The computer is in my home and I access it either directly or via ssh from my XP machine on the home LAN. I can copy files to it with samba or FTP.

Coppermine 1.3.3 really works good and I put photos on it via batch mode by dumping pictures on it in the /albums directory and then use batch mode to install the pictures. This works really well as before but any thumbnails or normal photos that convert creates are now owned by apache and not by me in my $HOME/public_html/cpg133/ablums/<album name> directory. Here is an example, I will do an ls in one of the album directories so you can see what is happening:

[ohmster@ohmster Baby_Pictures]$ ls -la
total 1356
drwxrwxrwx   2 ohmster ohmster   4096 Jun 26 00:32 .
drwxrwxrwx  10 ohmster ohmster   4096 Jun 26 03:36 ..
-rw-rw-rw-   1 ohmster ohmster 426953 Jun 26 00:29 IMG_0201.JPG
-rw-rw-rw-   1 ohmster ohmster 442525 Jun 26 00:29 IMG_0202.JPG
-rw-rw-rw-   1 ohmster ohmster 375180 Jun 26 00:29 IMG_0203.JPG
-rw-r--r--   1 apache  apache   23890 Jun 26 00:32 normal_IMG_0201.JPG
-rw-r--r--   1 apache  apache   25204 Jun 26 00:32 normal_IMG_0202.JPG
-rw-r--r--   1 apache  apache   23262 Jun 26 00:32 normal_IMG_0203.JPG
-rw-r--r--   1 apache  apache    8268 Jun 26 00:32 thumb_IMG_0201.JPG
-rw-r--r--   1 apache  apache    8593 Jun 26 00:32 thumb_IMG_0202.JPG
-rw-r--r--   1 apache  apache    8352 Jun 26 00:32 thumb_IMG_0203.JPG
[ohmster@ohmster Baby_Pictures]$

Notice that the pictures that I uploaded belong to me, ohmster. All of the normal and thumbnail pictures that were created by Coppermine and convert now belong to user "apache". This is a pain because I would have to now become superuser in order to gain ownership of the images again. My previous install of Coppermine with GD never did this, any files or images created by Coppermine and GD were owned by me as they should be. I see no options anywhere in Coppermine to set ownership of files or photos. How do I fix this and make it so that any files or images created by Coppermine or convert belong to me? Is this a configuration setting outside of Coppernine or something? Other than this issue, Coppermine really works great and I have little problems with it. Please help.

Thanks,
Ohmster

kegobeer

I think you may be having an issue with SELinux.  Disabling it may help.

http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2825880

You can also search for SELinux on our forum to see what others have discovered.
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

TheOhmster

Thanks for the reply but no, I have SELinux turned off. I heard about all the problems with it and that is one feature that I did not install. Coppermine probably would not work right at all with SELinux installed. It does work and it works quite well but anything created by convert ends up being owned by user apache and not me. This is probably somewhere in my apache or httpd configuration files or maybe my php.ini file because when I use coppermine to batch add pictures, it used "apache" to call up convert to do the actual work on the images. If convert is called up by user apache, then it makes sense that the images created by convert would be owned by whatever user called up the convert command, in this case, user apache.

Somewhere in some config file, I have to make it so that I will get ownwership of the files that convert creates.

Thanks for pitching in!

kegobeer

How about the config.inc.php?  Coppermine writes that during the install process - who's the owner of that file?

Have you done an exec('whoami') to see who owns the php process?

<?php
echo exec('whoami');
?>
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

TheOhmster

Quote from: kegobeer on June 26, 2005, 10:13:06 PM
How about the config.inc.php?  Coppermine writes that during the install process - who's the owner of that file?

Have you done an exec('whoami') to see who owns the php process?

<?php
echo exec('whoami');
?>


[ohmster@ohmster include]$ pwd
/home/ohmster/public_html/family/cpg133/include
[ohmster@ohmster include]$ ls -la config.inc.php
-rw-r--r--  1 apache apache 518 Jun 26 00:13 config.inc.php
[ohmster@ohmster include]$

Looks like it is owned by apache. I don't quite understand what you mean by the exec command. You are asking me to run a command and post the output? What would the syntax be to run on the command line? I cannot run it as you have posted, I get bad output:

[ohmster@ohmster include]$ echo exec('whoami');
-bash: syntax error near unexpected token `('
[ohmster@ohmster include]$

I think we are getting closer, please explain and suggest. Thank you.

kegobeer

I thought that would spit out the owner of the php process.  Try substituting system("whoami") for echo exec("whoami").

If config.inc.php is owned by apache, then I think the PHP processes are executed under the apache user, hence the ownership issue.  Anything written under a php script will show the apache user as the owner.  You can try writing a few test scripts that write to the server and see if the apache user is indeed the owner.

Now, how to change it - that I don't know.  Have you checked out the Fedora forums?
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

TheOhmster

Hmmm, I am at a Linux command window with ssh from my XP machine, this is easier for me. Your pasted code suggests that you are in some kind of php process when you do your exec command or something?

<?php
echo exec('whoami');
?>

My Linux prompt does not look like that, either from an ssh session nor the normal Linux CLI. This is my prompt:
[ohmster@ohmster ~]$

Is what you pasted above (in blue) typed into a command prompt or is this something that you ran from a bash script or put in a php file and then ran, either from the command prompt or via browser to the php page that you created?

I don't know how to change it either to make the php process or the convert process ran by me so that the files it produces are owned by me either so don't feel bad.  ;)

Coppermine has been under development for a long time and these issues probably have been worked out, just have to wait for someone that knows this stuff a little better to come along, I guess. I posted to the Linux newsgroups: comp.os.Linux,alt.os.Linux,alt.apache.configuration with a followup requested to comp.os.Linux. Usenet usually takes a day or two to get some help but it is a pretty good source of information and help, will wait and see and reply back here if I get any help. Otherwise will have to wait and see if anyone has an answer. This is not a terrible thing and I could su and then chown and chgrp to my to gain ownership if I have to but would like for this to be setup nice like it was before when I used GD.

Thanks for your help, keg. Hey, I got a question that you could probably answer, how did you get an avatar on your posts? I don't see anything in my account setup for adding an avatar and would like to put my mug in there.

Thanks.

TheOhmster

Keg,

Figured out how to do your test, although I don't know how it helps. I put your stuff in a file with vi called "test.php" and made it executable and ran it. Here is what is in test.php:

#!/usr/bin/php
<?php
echo exec('whoami');
?>

Here is the output:

[ohmster@ohmster bench]$ ./test.php
Content-type: text/html
X-Powered-By: PHP/4.3.11

ohmster[ohmster@ohmster bench]$

Changed the syntax as you said, here is the new file:

#!/usr/bin/php
<?php
system("whoami");
?>

Here is the output:

[ohmster@ohmster bench]$ ./test.php
Content-type: text/html
X-Powered-By: PHP/4.3.11

ohmster
[ohmster@ohmster bench]$

They are both pretty much the same, although the system one prints my name "ohmster" on a line above the prompt and the echo one prints my name "ohmster" on the same line as the cursor, right before the prompt. Difference in output shown in green.

Does this help at all? Anyone got an idea of how to make Coppermine produce files that actually belong to me?

Thanks,
Ohmster

Nibbler

You would set the user that the server runs under in apache's httpd.conf, look for the section:

# User/Group: The name (or #number) of the user/group to run httpd as.

and change the User line under that to your username.

When running the test script from Kegobeer, you should have put that file in your 'website' or public_html dir and run it through your browser. If you run it from the command line it will just tell you your own username - it must be run by apache to tell you anything useful.

TheOhmster

Okay, first running test.php from a web browser in my cpg133 directory. Had to take out the #!/usr/bin/php line and just run it as kegobeer first written:

<?php
system("whoami");
?>

Returns in browser:
apache

2nd test by kegobeer run in browser:

<?php
echo exec('whoami');
?>

Returns in browser:

apache

Yes, looks like php is owned by apache. My httpd.conf file does specify that apache be run as user apache as shown:

# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
#  . On SCO (ODT 3) use "User nouser" and "Group nogroup".
#  . On HPUX you may not be able to use shared memory as nobody, and the
#    suggested workaround is to create a user www and use that user.
#  NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
#  when the value of (unsigned)Group is above 60000;
#  don't use Group #-1 on these systems!
#
User apache
Group apache

I had coppermine running previously on a redhat 9 system with gd instead of ImageMagick and apache ran as apache. All thumbnails and files written by coppermine were owned by me. That was great. I am hesitant to change the httdp server over to run as myself to accomplish this, although I agree that it would probably work. The reason that I am hesitant about this is that is not (So far as I know), the way a web server should operate. I have privileges assigned by sudoers and if "apache got away from me" as had happened when redhat 9 was compromised (Probably a phpbb2 hack). then the web server could run with higher privileges. Also I run 3 FQDNs on the machine, how would this affect the other domains? Right now this may not as there is no coppermine running on them but if something is added to the other domains, then they get stuck with "ohmster".

Does everyone who runs coppermine on an FC3 system have to run their web servers as themselves? There are a lot of people running coppermine on servers that they do not own and they could not possibly change the httpd server to run as themselves for the sake of a photo gallery program. I have gd on the system:


[ohmster@ohmster cpg133]$ rpm -q gd
gd-2.0.28-1.30.1
[ohmster@ohmster cpg133]$

If I change coppermine to use gd instead of ImageMagick, would this make it work right like it used to, do you think?

Hope this info gets us closer to a solution, thanks for your help. Will be monitoring this forum.

Ohmster

Nibbler

I'm no expert on server setup unfortunately. I run apache as myself under FC4 with no issues, but it's only a private test server. I don't think switching to GD would help, as any files created by apache by any method would still be owned by apache. It's more of a server setup issue than anything Coppermine has control over.

kegobeer

If you always use Coppermine to manage your gallery files (which you should always do), you won't have to chown anything - Coppermine will delete pictures if you decide to remove them from your gallery.  I think you are fine with php running as Apache.
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

TheOhmster

Yeah guys, I did a little more reading on this subject in the FAQ, fortunately there is a direct link to the relevant part right here:
http://coppermine.sourceforge.net/faq.php#cantDeletePic

They do mention that coppermine can delete it's own files, and since I own this sever, I could always su to do anything I want with the files on it. It is really not clear to me as to what to set the directory permissions to. I have to use 777 for the albums directory or I cannot put in any pictures. As to the rest, I am unsure. I wish that the guy that wrote the FAQ or the Online Manual would have spelled it out a bit more clearly, and also gone into recommended server and php setup for umask and all.  :P

I am going to leave it alone as I feel that reassigning the user and group of the server is a real "down and dirty hack" and I am not comfortable with that, I just got over a serious security problem with apache and had to wipe my redhat 9 server as a result of it.

Thanks for your help, guys.

kegobeer

You only need to set permissions for the directories that are identified in the documentation, the rest don't need to be changed.  You don't need to worry about using 777, as it's perfectly safe IMO.  There's a great discussion at http://www.simplemachines.org/community about it, written by Unknown.

As for explaining server setup ...
  a.  That really wouldn't be possible since there are so many different ways to set up a server
  b.  Most people use webhosts that don't allow any sort of server tinkering
  c.  That would lead to server setup questions, and since none of us are experts on all types of server setups, that would mean lots of unanswered questions
  d.  We specialize in Coppermine, and answering server questions takes away from answering Coppermine questions

Welcome to the community!
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

TheOhmster

Thank you kegobeer. You made me feel welcome.  8)

Ohmster