Uploaded attachments are world-writeable

Get help with installation and running phpBB 3.3.x here. Please do not post bug reports, feature requests, or extension related questions here.
Post Reply
User avatar
shortmort37
Registered User
Posts: 656
Joined: Sat Aug 26, 2006 8:40 pm
Location: Upper Darby, PA, USA
Name: Dan Morton
Contact:

Uploaded attachments are world-writeable

Post by shortmort37 »

Support Request Template
What version of phpBB are you using? phpBB 3.3.4
What is your board's URL? www.54plymouth.net/54test
Who do you host your board with? inmotionhosting.com
How did you install your board? I used the download package from phpBB.com
What is the most recent action performed on your board? Fresh Install
Is registration required to reproduce this issue? Yes (to upload an attachment. Even so, file permissions are not visible to users)
Do you have any MODs installed? No
Do you have any extensions installed? No
What styles do you currently have installed? prosilver
What language(s) is your board currently using? English
Which database type/version are you using? MariaDB
What is your level of experience? Comfortable with PHP and phpBB
What username can be used to view this issue? No answer given
What password can be used to view this issue? No answer given
What actions did you take (updating your board; installing a MOD, style or extension; etc.) prior to this problem becoming noticeable? Using an out of the box phpBB 3.3.4 install, I replied to the Welcome post with an attachment.
Please describe your problem. On upload, the permissions of the uploaded file in the <root>/files directory is 666, not 644. This makes the files world-writeable.
As I understand it, uploads are placed in a temp storage location before they are moved to <root>/files. If this is indeed correct, I would like to know where in the phpBB code the move takes place so that I can further diagnose.

One more comment: I have placed this php script from W3 Schools in the phpBB root directory, and edited upload.php to deposit the uploaded file into <root>/files. The deposited file has 644 permissions.

Generated by SRT Generator
Last edited by shortmort37 on Sun Jun 13, 2021 6:05 pm, edited 2 times in total.
User avatar
ssl
Registered User
Posts: 1580
Joined: Sat Feb 08, 2020 2:15 pm
Location: Le Lude, Pays de la Loire - France
Name: Fred Rimbert
Contact:

Re: Uploaded attachments are world-writeable

Post by ssl »

Hi
For ./files folder the correct Chmod value is 777
Look here: https://www.phpbb.com/support/docs/en/3 ... rmissions/
Sorry for my English ... I do my best!

phpBB: 3.3.11 | PHP: 8.2.16
[GitHub] - [Kill spam on phpBB] - [Some French translation of extensions]
"Mistress, Mistress someone is bothering me in pm"
User avatar
shortmort37
Registered User
Posts: 656
Joined: Sat Aug 26, 2006 8:40 pm
Location: Upper Darby, PA, USA
Name: Dan Morton
Contact:

Re: Uploaded attachments are world-writeable

Post by shortmort37 »

The permissions for the /files directory on my test board *IS* 777.

However, the permissions for attachment *FILES* that get uploaded into that directory is 666 (not, 644, as they should be).
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: Uploaded attachments are world-writeable

Post by david63 »

shortmort37 wrote: Sun Jun 13, 2021 5:20 pm I would like to know where in the phpBB code the move takes place so that I can further diagnose.
I don't think that phpBB uses a temp folder for uploads - but if you want the code I would start with phpbb\filesystem\filesystem.php but it also looks as if it is using Symfony's filesystem
David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
User avatar
shortmort37
Registered User
Posts: 656
Joined: Sat Aug 26, 2006 8:40 pm
Location: Upper Darby, PA, USA
Name: Dan Morton
Contact:

Re: Uploaded attachments are world-writeable

Post by shortmort37 »

Thanks for the hint, David - I'll start poking around in there. For what it's worth, I think I got the impression of a temp folder from poking around in phpbb/plupload/plupload.php (around line 408), and I know that jpeg attachments are processed here, e.g., for exif orientation. But perhaps all of that is a red herring.

Interestingly, I never had this issue with my legacy board, which I'm moving to a new server. I accidentally discovered it because the permissions on the legacy files I ported over contrasted with the permissions on recent uploads; otherwise I might not have noticed.

Thanks again for the hint.
User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 52767
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Uploaded attachments are world-writeable

Post by stevemaury »

I have a question. You have an attachment in your /files folder and it is 666 and I want to write to it. How would I do that?
I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)
User avatar
EA117
Registered User
Posts: 2158
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: Uploaded attachments are world-writeable

Post by EA117 »

I am in no way a Linux file system permissions expert, nor do I have a definitive answer for you. But I suspect you're looking at a difference in how the web server (httpd) startup and permissions are set on your new "blank" VPS server, versus how your prior hosting service had already configured them for you.

Even on Windows, such services are started under a particular security context, which when combined with the ACLs on the involved folders, determines what security is going to be applied by default to files created by that service. I've seen reference to specifying a group or user for the Apache process to run under, "umask", and I'm sure there are a dozen other things I don't know about what ultimately decides the calculus of how Linux determines what permissions the file will have by default.

Things we get to learn by providing our own hosting support. Hopefully someone with the needed expertise might chime in. You might also look for answers among non-phpBB-specific resources related to web server configuration and file system permissions, since I doubt the ultimate answer is phpBB-specific.
User avatar
shortmort37
Registered User
Posts: 656
Joined: Sat Aug 26, 2006 8:40 pm
Location: Upper Darby, PA, USA
Name: Dan Morton
Contact:

Re: Uploaded attachments are world-writeable

Post by shortmort37 »

stevemaury wrote: Mon Jun 14, 2021 7:30 pm I have a question. You have an attachment in your /files folder and it is 666 and I want to write to it. How would I do that?
I admit to not knowing, Steve. But it's the things I don't know, that make me vulnerable to hackers. What I do know, is that the phpBB Knowledge Base recommends that all files have 644 protection, with the exception of config.php - and then, only briefly during installation, and even more restrictive post-installation. And I know that all uploaded attachments on the site I have been running since 2004 have file permissions of 644 in the /files directory.

Very possibly any malicious hacker would have already had to have a toehold somewhere on my site to exploit these permissions. But why assist them? At any rate, I am seeking to explain behavior on my new site, that I don't see on my old site; the very same code. (One other observation: As the cache is populated with files in the twig subfolders on the fly, these too have 644 permissions - but not uploaded attachments.)
EA117 wrote: Mon Jun 14, 2021 9:27 pm You might also look for answers among non-phpBB-specific resources related to web server configuration and file system permissions, since I doubt the ultimate answer is phpBB-specific.
That would be true, if not for the fact that 54plymouth.net/54test/upload.html (test code from W3 Schools) prompts you to upload a file, and once identified, uploads it via upload.php into the /files directory - the very same directory, where phpBB attachment uploads occur - and the file permissions are 644. PHP code, same directory, same operating system and web server, same default umask (022, which would mask group/world write), but resulting in different file permissions. To me, that makes it phpBB-specific. I'm certainly open to other points of view, but I'm frankly stumped at this point.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5850
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Uploaded attachments are world-writeable

Post by thecoalman »

Are the owners of the uploaded files both the same? Right click in FTP client and select properties, it should give you owner/group, my guess is the owner of the phpBB upload is root. If it is, the phpBB files/folders are also owned by root which is not good.

This is WHM/Cpanel server? Use a separate account for that domain to upload files. Only use root account if you need to work with files above root.

You can change the owner/group and permissions with console commands or reupload them with domain FTP account.

Generally you should not be able to login with root account at all. Google it... :D
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
shortmort37
Registered User
Posts: 656
Joined: Sat Aug 26, 2006 8:40 pm
Location: Upper Darby, PA, USA
Name: Dan Morton
Contact:

Re: Uploaded attachments are world-writeable

Post by shortmort37 »

thecoalman wrote: Tue Jun 15, 2021 10:35 am Are the owners of the uploaded files both the same? Right click in FTP client and select properties, it should give you owner/group, my guess is the owner of the phpBB upload is root. If it is, the phpBB files/folders are also owned by root which is not good.
By default, Apache provides www-data as the default user - I created a separate user account and group for security’s sake, I’ll call here xxx:xxx. Everything in the public_html directory where 54test resides, and under, is owned by xxx:xxx (not root). I also use the xxx account for sftp transfer to the website, so ownership remains consistent. If I use phpBB to upload a file, or the W3 Schools example, xxx owns the upload. Only the permissions are different.
thecoalman wrote: Tue Jun 15, 2021 10:35 am This is WHM/Cpanel server? Use a separate account for that domain to upload files. Only use root account if you need to work with files above root.
No, I don’t have WHM/Cpanel on my VPS. All server management is CLI, or using ssh clients.
thecoalman wrote: Tue Jun 15, 2021 10:35 am You can change the owner/group and permissions with console commands or reupload them with domain FTP account.

Generally you should not be able to login with root account at all. Google it... :D
Agreed. I have a separate ssh account for that, and I sudo for any privileged operations.

File ownership is separate from root, and consistent whether apache upload or sftp transfer. What’s not consistent, are file permissions.
Last edited by shortmort37 on Tue Jun 15, 2021 2:21 pm, edited 1 time in total.
User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 52767
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Uploaded attachments are world-writeable

Post by stevemaury »

shortmort37 wrote: Tue Jun 15, 2021 12:52 am
stevemaury wrote: Mon Jun 14, 2021 7:30 pm I have a question. You have an attachment in your /files folder and it is 666 and I want to write to it. How would I do that?
I admit to not knowing, Steve. But it's the things I don't know, that make me vulnerable to hackers. What I do know, is that the phpBB Knowledge Base recommends that all files have 644 protection, with the exception of config.php - and then, only briefly during installation, and even more restrictive post-installation.
That refers to phpBB files.
I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)
User avatar
shortmort37
Registered User
Posts: 656
Joined: Sat Aug 26, 2006 8:40 pm
Location: Upper Darby, PA, USA
Name: Dan Morton
Contact:

Re: Uploaded attachments are world-writeable

Post by shortmort37 »

It took me a while to learn about using Sublime as an IDE, and to set up Xdebug to work remotely. I'm still a novice, but I have now tracked down exactly where the file is created.
david63 wrote: Sun Jun 13, 2021 9:12 pm ]I don't think that phpBB uses a temp folder for uploads - but if you want the code I would start with phpbb\filesystem\filesystem.php but it also looks as if it is using Symfony's filesystem
It turns out that phpBB does indeed upload to /tmp, before doing a PHP copy to /files. For V3.3.3, it's on line 446 of phpbb/files/filespec.php:

Code: Select all

if (!@copy($this->filename, $this->destination_file))
$this->filename is a file that, in my VPS, resides with my server's /tmp folder.

There's no setting of permissions in this call; my understanding is that under these circumstances the file creation should respect the umask setting of 0022, which should clear the "w" permission for group and world. But they are set to rw-rw-rw- when the file is created. I've confirmed with the W3 Schools script - modified to report the umask - that 0022 is indeed the value as seen by PHP, so it remains a mystery; for now. But now I have an environment I can use for further exploration.

I'm open to all useful hints about how I can further explore. Meanwhile, I'll continue to plod away.

Edit: Agent Ransack reports 14 references to umask in phpBB. I'm now guessing that Symfony tweaks the umask (unlike the W3 Schools example)
User avatar
shortmort37
Registered User
Posts: 656
Joined: Sat Aug 26, 2006 8:40 pm
Location: Upper Darby, PA, USA
Name: Dan Morton
Contact:

Re: Uploaded attachments are world-writeable

Post by shortmort37 »

shortmort37 wrote: Sun Jun 13, 2021 9:41 pm Interestingly, I never had this issue with my legacy board, which I'm moving to a new server. I accidentally discovered it because the permissions on the legacy files I ported over contrasted with the permissions on recent uploads; otherwise I might not have noticed.
D'Oh! The permissions of the legacy /files once copied to the VPS destination /files folder were determined by the default umask of the VPS server, not by the permissions as they lie on the legacy shared server. It was my mistake to assume the permissions were consistently rw-r--r-- on my legacy server - they weren't! The most recent attachment uploads on what is still my production environment on the legacy server - I'm assuming around the time I upgraded to V3.3.3 - have rw-rw-rw permissions as well. In other words: The issue I've identified with phpBB on my VPS server, is not an issue at all. I'm guessing that with the upgrade, Symfony changed the umask for attachment uploads. (I went looking for the changelog, but did not find it.) This is my bad.

Still, not a wasted exercise. I've learned how to debug remotely with Xdebug, so that's not a bad thing. Thanks to all for your input; Admin, this thread can be closed.
Post Reply

Return to “[3.3.x] Support Forum”