Hiawatha doesn't honor properly the filesystem group permissions
SaltwaterC
18 June 2010, 15:15
I managed to identify a faulty behavior that forces me to lower the permissions in order to get it going. Besides the PHP-FPM pools, aka processes that listen to a particular socket, have their own security context, own runtime UID/GID, open_basedir restrictions, I also use a fancy file system permissions system in order to provide an additional security layer. Long story short, in order to read the files from the disk, Hiawatha's user (www-data) is part of the PHP-FPM pool group so the minimal permissions for proper running are 550 for directories / 440 for files. Basically the web server has access through the group ACL.
This is the part where Hiawatha fails. It works OK if the www-data owns the files / directories. It also works OK if the www-data group is set for the files / directories. Obviously, it works OK if the files are world readable. If somebody else owns the files / directories and if the group for the files / directories is something else that www-data, but www-data is part of that group, the request fails with a 403 error. It's quite needless to say that logging in with the www-data system user I can read those files that Hiawatha "can't" read.
Hiawatha version: 7.3
Operating System: Ubuntu 10.04 LTS x86_64
Hugo Leisink
18 June 2010, 21:13
Is this for all files or for CGI/PHP scripts only?
SaltwaterC
19 June 2010, 16:15
It happens for every file. Basically it can't get past the directory that contains the files. I tested with both world readable files and restricted permissions files. I reproduced this setup under a Debian Lenny VPS with minimal configuration. Here's my shell output:
hiawatha:/var/www# pwd
/var/www
hiawatha:/var/www# ls -la
total 20
drwxr-xr-x 3 root root 4096 Jun 19 13:16 .
drwxr-xr-x 14 root root 4096 Jun 19 13:11 ..
-rw-r--r-- 1 root root 321 Mar 6 2008 dummy.php
drwxr-x--- 2 root php-fpm 4096 Jun 19 14:14 hiawatha
-rw-r--r-- 1 root root 45 Jun 19 13:11 index.html
hiawatha:/var/www# cd hiawatha/
hiawatha:/var/www/hiawatha# ls -la
total 16
drwxr-x--- 2 root php-fpm 4096 Jun 19 14:14 .
drwxr-xr-x 3 root root 4096 Jun 19 13:16 ..
-rw-r----- 1 root php-fpm 17 Jun 19 14:10 index.php
-rw-r----- 1 root php-fpm 13 Jun 19 14:14 index.txt
hiawatha:/var/www/hiawatha# cat /etc/group | grep php-fpm
php-fpm:x:61:www-data
hiawatha:/var/www/hiawatha# ps auxw | grep hiawatha
www-data 14990 0.0 0.0 6728 1200 ? Ssl 14:13 0:00 /usr/sbin/hiawatha
root 15021 0.0 0.0 1720 516 pts/0 R+ 14:19 0:00 grep hiawatha
hiawatha:/var/www/hiawatha#
As you can see, www-data is in php-fpm group, but it still can't get past /var/www/hiawatha. If I make /var/www/hiawatha to be world readable, then it can read index.php but it can't read index.txt.
Hugo Leisink
19 June 2010, 21:58
I've just reproduced your settings, but it all works fine here. You're sure there isn't something else which causes the problem?
SaltwaterC
19 June 2010, 23:40
I'll send you my VPS image as OpenVZ template, made with Proxmox VE - where Proxmox VE can be used inside a hypervisor such as VirtualBox since OpenVZ is OS level virtualization. I mentioned that in order to make myself clear that it doesn't require a bare metal installation. With the same setup, nginx doesn't complain. By default, under Debian/Ubuntu, nginx runs as well under www-data.
I'll include an nginx instance as well for comparison.
Hugo Leisink
23 June 2010, 22:04
I've looked at your VPS, but I thinks the problem lies in your VPS's kernel, not in Hiawatha. For some reason, unknown to me, the kernel simply denies access to the requested files.
This topic has been closed.