./files
folder the correct Chmod value is 777I don't think that phpBB uses a temp folder for uploads - but if you want the code I would start withshortmort37 wrote: ↑Sun Jun 13, 2021 5:20 pm I would like to know where in the phpBB code the move takes place so that I can further diagnose.
phpbb\filesystem\filesystem.php
but it also looks as if it is using Symfony's filesystemphpbb/plupload/plupload.php
(around line 408), and I know that jpeg attachments are processed here, e.g., for exif orientation. But perhaps all of that is a red herring.I admit to not knowing, Steve. But it's the things I don't know, that make me vulnerable to hackers. What I do know, is that the phpBB Knowledge Base recommends that all files have 644 protection, with the exception of config.php - and then, only briefly during installation, and even more restrictive post-installation. And I know that all uploaded attachments on the site I have been running since 2004 have file permissions of 644 in the /files directory.stevemaury wrote: ↑Mon Jun 14, 2021 7:30 pm I have a question. You have an attachment in your /files folder and it is 666 and I want to write to it. How would I do that?
That would be true, if not for the fact that 54plymouth.net/54test/upload.html (test code from W3 Schools) prompts you to upload a file, and once identified, uploads it via upload.php into the /files directory - the very same directory, where phpBB attachment uploads occur - and the file permissions are 644. PHP code, same directory, same operating system and web server, same default umask (022, which would mask group/world write), but resulting in different file permissions. To me, that makes it phpBB-specific. I'm certainly open to other points of view, but I'm frankly stumped at this point.
By default, Apache provides www-data as the default user - I created a separate user account and group for security’s sake, I’ll call here xxx:xxx. Everything in the public_html directory where 54test resides, and under, is owned by xxx:xxx (not root). I also use the xxx account for sftp transfer to the website, so ownership remains consistent. If I use phpBB to upload a file, or the W3 Schools example, xxx owns the upload. Only the permissions are different.thecoalman wrote: ↑Tue Jun 15, 2021 10:35 am Are the owners of the uploaded files both the same? Right click in FTP client and select properties, it should give you owner/group, my guess is the owner of the phpBB upload is root. If it is, the phpBB files/folders are also owned by root which is not good.
No, I don’t have WHM/Cpanel on my VPS. All server management is CLI, or using ssh clients.thecoalman wrote: ↑Tue Jun 15, 2021 10:35 am This is WHM/Cpanel server? Use a separate account for that domain to upload files. Only use root account if you need to work with files above root.
Agreed. I have a separate ssh account for that, and I sudo for any privileged operations.thecoalman wrote: ↑Tue Jun 15, 2021 10:35 am You can change the owner/group and permissions with console commands or reupload them with domain FTP account.
Generally you should not be able to login with root account at all. Google it...
That refers to phpBB files.shortmort37 wrote: ↑Tue Jun 15, 2021 12:52 amI admit to not knowing, Steve. But it's the things I don't know, that make me vulnerable to hackers. What I do know, is that the phpBB Knowledge Base recommends that all files have 644 protection, with the exception of config.php - and then, only briefly during installation, and even more restrictive post-installation.stevemaury wrote: ↑Mon Jun 14, 2021 7:30 pm I have a question. You have an attachment in your /files folder and it is 666 and I want to write to it. How would I do that?
It turns out that phpBB does indeed upload to /tmp, before doing a PHP copy to /files. For V3.3.3, it's on line 446 of
phpbb/files/filespec.php
:Code: Select all
if (!@copy($this->filename, $this->destination_file))
$this->filename
is a file that, in my VPS, resides with my server's /tmp folder.rw-rw-rw-
when the file is created. I've confirmed with the W3 Schools script - modified to report the umask - that 0022 is indeed the value as seen by PHP, so it remains a mystery; for now. But now I have an environment I can use for further exploration.D'Oh! The permissions of the legacyshortmort37 wrote: ↑Sun Jun 13, 2021 9:41 pm Interestingly, I never had this issue with my legacy board, which I'm moving to a new server. I accidentally discovered it because the permissions on the legacy files I ported over contrasted with the permissions on recent uploads; otherwise I might not have noticed.
/files
once copied to the VPS destination /files
folder were determined by the default umask of the VPS server, not by the permissions as they lie on the legacy shared server. It was my mistake to assume the permissions were consistently rw-r--r--
on my legacy server - they weren't! The most recent attachment uploads on what is still my production environment on the legacy server - I'm assuming around the time I upgraded to V3.3.3 - have rw-rw-rw
permissions as well. In other words: The issue I've identified with phpBB on my VPS server, is not an issue at all. I'm guessing that with the upgrade, Symfony changed the umask for attachment uploads. (I went looking for the changelog, but did not find it.) This is my bad.