Piwigo Bugtracker

Piwigo bug tracker has moved to Github

This bugtracker is kept to provide history on old issues.

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002725Piwigosecuritypublic2012.08.18 22:572012.08.30 21:21
Assigned Torvelices 
PlatformLinuxOSDebianOS VersionSqueeze
Product Version2.4.3 
Target VersionFixed in Version2.4.4 
Summary0002725: Piwigo isn't compatible with suPHP
DescriptionWhen using suPHP, a nice to have feature when hosting different PHP applications on the same HTTP server, scripts are executed as a different user from the HTTP server.
The scripts are executed as the owner of the script, therefore files created by the scripts are created with the same owner and group as the script.

Files created by Piwigo (uploads, thumbnails) are created with 0600 rights, and because static content is not served by suPHP, the access to the files is denied.

I created a patch (attached) to fix the problem, it works for me.
Plugins installation is still broken though, and they require a bit of manual housekeeping but that's to be expected with suPHP, but at least, the app works.
Steps To ReproduceInstall Piwigo normally. Install suPHP support. Create a user and a group for piwigo.
chmod -R u=rwX,g=rx,o= <piwigo directory>
chown -R <piwigo-user>:<httpd-group> <piwigo directory>
find <piwigo directory> -name "*.php" -exec chgrp <piwigo-group> {} \;

Upload photos, the http server will be enable to serve the images.
Additional Informationhttp://piwigo.org/forum/viewtopic.php?id=19692 [^]
TagsNo tags attached.
Database engine and version
PHP version
Web serverApache 1.3.x
Attached Filespatch file icon piwigo-suphp-compat.patch [^] (1,752 bytes) 2012.08.18 22:57 [Show Content]

- Relationships

-  Notes
rvelices (developer)
2012.08.27 10:29

guys, I think you should update your umask parameter in suPHP config file from 0077 to 0022
kubrick (reporter)
2012.08.27 14:27


Yes and no. That would definitely fix the problem but, although I don't know about Piwigo, other applications might store sensitive information (temporary files, configuration file created at install...) in files they create with this umask that would then be readable by everyone.

I can't possibly review the code of all the applications I'm hosting, I feel more secure by leaving the umask at 0077, especially since the other apps I'm hosting don't have any problem with that (forums, CMS, CRM, Webmail, etc...)

rvelices (developer)
2012.08.27 15:25

We'll probably use the already existing $conf['chmod_value'] (defined in config_default.inc.php)
We use this variable for directory permissions and it appears to work since you don't have any issue with directories. (it's better to use it instead of hardcoded 0644)
kubrick (reporter)
2012.08.27 15:37

Yes, that seems pretty reasonable to me, my patch was just a "make it work" quick and dirty fix.
svn (reporter)
2012.08.30 21:20

[Subversion] r17675 by rvelices on trunk

-----[Subversion commit log]----------------------------------------------------
bug 2725: Piwigo isn't compatible with suPHP + better handling of watermark upload errors
svn (reporter)
2012.08.30 21:20

[Subversion] r17676 by rvelices on branch 2.4

-----[Subversion commit log]----------------------------------------------------
bug 2725: Piwigo isn't compatible with suPHP + better handling of watermark upload errors merge from trunk to branch 2.4

- Issue History
Date Modified Username Field Change
2012.08.18 22:57 kubrick New Issue
2012.08.18 22:57 kubrick File Added: piwigo-suphp-compat.patch
2012.08.18 22:57 kubrick browser => any
2012.08.18 22:57 kubrick Web server => Apache 1.3.x
2012.08.27 10:29 rvelices Note Added: 0006569
2012.08.27 10:29 rvelices Status new => feedback
2012.08.27 14:27 kubrick Note Added: 0006571
2012.08.27 15:25 rvelices Note Added: 0006572
2012.08.27 15:36 rvelices Status feedback => new
2012.08.27 15:37 kubrick Note Added: 0006573
2012.08.29 10:46 rvelices Status new => assigned
2012.08.29 10:46 rvelices Assigned To => rvelices
2012.08.30 21:20 svn Checkin
2012.08.30 21:20 svn Note Added: 0006594
2012.08.30 21:20 svn Checkin
2012.08.30 21:20 svn Note Added: 0006595
2012.08.30 21:21 rvelices Status assigned => closed
2012.08.30 21:21 rvelices Resolution open => fixed
2012.08.30 21:21 rvelices Fixed in Version => 2.4.4

Copyright © 2000 - 2019 MantisBT Team
Powered by Mantis Bugtracker