MantisBT - Piwigo
View Issue Details
0002725Piwigosecuritypublic2012.08.18 22:572012.08.30 21:21
kubrick 
rvelices 
normalfeaturealways
closedfixed 
LinuxDebianSqueeze
2.4.3 
2.4.4 
any
Apache 1.3.x
0002725: Piwigo isn't compatible with suPHP
When using suPHP, a nice to have feature when hosting different PHP applications on the same HTTP server, scripts are executed as a different user from the HTTP server.
The scripts are executed as the owner of the script, therefore files created by the scripts are created with the same owner and group as the script.

Files created by Piwigo (uploads, thumbnails) are created with 0600 rights, and because static content is not served by suPHP, the access to the files is denied.

I created a patch (attached) to fix the problem, it works for me.
Plugins installation is still broken though, and they require a bit of manual housekeeping but that's to be expected with suPHP, but at least, the app works.
Install Piwigo normally. Install suPHP support. Create a user and a group for piwigo.
chmod -R u=rwX,g=rx,o= <piwigo directory>
chown -R <piwigo-user>:<httpd-group> <piwigo directory>
find <piwigo directory> -name "*.php" -exec chgrp <piwigo-group> {} \;

Upload photos, the http server will be enable to serve the images.
http://piwigo.org/forum/viewtopic.php?id=19692 [^]
No tags attached.
patch piwigo-suphp-compat.patch (1,752) 2012.08.18 22:57
http://piwigo.org/bugs/file_download.php?file_id=148&type=bug
Issue History
2012.08.18 22:57kubrickNew Issue
2012.08.18 22:57kubrickFile Added: piwigo-suphp-compat.patch
2012.08.18 22:57kubrickbrowser => any
2012.08.18 22:57kubrickWeb server => Apache 1.3.x
2012.08.27 10:29rvelicesNote Added: 0006569
2012.08.27 10:29rvelicesStatusnew => feedback
2012.08.27 14:27kubrickNote Added: 0006571
2012.08.27 15:25rvelicesNote Added: 0006572
2012.08.27 15:36rvelicesStatusfeedback => new
2012.08.27 15:37kubrickNote Added: 0006573
2012.08.29 10:46rvelicesStatusnew => assigned
2012.08.29 10:46rvelicesAssigned To => rvelices
2012.08.30 21:20svnCheckin
2012.08.30 21:20svnNote Added: 0006594
2012.08.30 21:20svnCheckin
2012.08.30 21:20svnNote Added: 0006595
2012.08.30 21:21rvelicesStatusassigned => closed
2012.08.30 21:21rvelicesResolutionopen => fixed
2012.08.30 21:21rvelicesFixed in Version => 2.4.4

Notes
(0006569)
rvelices   
2012.08.27 10:29   
guys, I think you should update your umask parameter in suPHP config file from 0077 to 0022
(0006571)
kubrick   
2012.08.27 14:27   
Hi,

Yes and no. That would definitely fix the problem but, although I don't know about Piwigo, other applications might store sensitive information (temporary files, configuration file created at install...) in files they create with this umask that would then be readable by everyone.

I can't possibly review the code of all the applications I'm hosting, I feel more secure by leaving the umask at 0077, especially since the other apps I'm hosting don't have any problem with that (forums, CMS, CRM, Webmail, etc...)

Thanks.
(0006572)
rvelices   
2012.08.27 15:25   
ok.
We'll probably use the already existing $conf['chmod_value'] (defined in config_default.inc.php)
We use this variable for directory permissions and it appears to work since you don't have any issue with directories. (it's better to use it instead of hardcoded 0644)
(0006573)
kubrick   
2012.08.27 15:37   
Yes, that seems pretty reasonable to me, my patch was just a "make it work" quick and dirty fix.
(0006594)
svn   
2012.08.30 21:20   
[Subversion] r17675 by rvelices on trunk

-----[Subversion commit log]----------------------------------------------------
bug 2725: Piwigo isn't compatible with suPHP + better handling of watermark upload errors
(0006595)
svn   
2012.08.30 21:20   
[Subversion] r17676 by rvelices on branch 2.4

-----[Subversion commit log]----------------------------------------------------
bug 2725: Piwigo isn't compatible with suPHP + better handling of watermark upload errors merge from trunk to branch 2.4