Announcement

Collapse
No announcement yet.

.fil permissions

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #31
    i wonder if this is a server problem allowing the user "nobody" to write, of rather stopping the user "nobody" although the ftp user specified in actinic should be able to do all that is needed providing it has the correct privilages when setup.

    unfortuntely no server / os / control panel seems to adhere to the same standards these days

    Comment


      #32
      Hi Sendmore,

      Thanks for letting me know... and please let us know what happens.
      Does seem like a drastic change to the server set up.. I'm surprised and a bit worried that actinic wont work without loosening permissions... I dont know if its secure, maybe someone from actinic could comment if this is a sensible fix..
      Arka Tribal Jewellery

      Comment


        #33
        Hi Feemish
        I have tested my test site and it does appear to work including the online stock control. Feel free to try my test site yourself http://www.sendmore.co.uk/acatalog/test/acatalog/. I like you do not know if it is a secure fix. I put in a call to Actinic yesterday morning and they have of course not returned my call! My hosting company's reply when I asked it it would be a secure solution said "This only means it's writable by the webserver, it's not as if unknown third parties can write to the disk, unless Actinic is exploitable"
        Does anyone know if it is?

        Hi Darren B
        Thanks for the idea I will check with the hosting company re setup regarding 'nobody'

        Comment


          #34
          Yes your site is working now..

          Would you mind telling me who your hosting company is?
          and what server set up you have with them.

          Do you have WHM or Cpanel like I do?

          All a bit odd as I thought that the acatalog folder was writable by the webserver anyway. I just wish actinic themselves would let us know a secure fix for this.
          Arka Tribal Jewellery

          Comment


            #35
            Hi Feemish
            My hosting company is UkFast I have a virtual server Dual CPU Dual Core AMD Opteron with Linux. It has Plesk. The UKFast tech support is superb.
            Hopefully I will hear something from Actinic today.

            Comment


              #36
              So we are both running actinic on a shared web server. (VPS)
              I cant find any warnings from actinic that the software wont work on a shared web server but this is the common factor.
              Arka Tribal Jewellery

              Comment


                #37
                Still banging my head.

                Would anyone with access to their server, and a working v10 site, who can be bothered, please have a look and tell me what the permissions are on their 'public_html' folder.

                I imagine they're 0750, but what about the owner and group.

                gonna be either <username> or <nobody> I expect, but which?

                and what about the owner and group of acatalog and cgi-bin folders within public_html?
                Arka Tribal Jewellery

                Comment


                  #38
                  Originally posted by sendmore View Post
                  My hosting company's reply when I asked it it would be a secure solution said "This only means it's writable by the webserver, it's not as if unknown third parties can write to the disk, unless Actinic is exploitable"
                  Does anyone know if it is? '
                  Actinic has to be able to have write access to its files, and actinic runs as the web server. Any ecommerce web site, or any site where web users can leave comments or other information will need this type of access. You will need to ask Actinic if it is 'exploitable'!

                  Malcolm

                  SellerDeck Accredited Partner,
                  SellerDeck 2016 Extensions, and
                  Custom Packages

                  Comment


                    #39
                    Originally posted by feemish View Post
                    All a bit odd as I thought that the acatalog folder was writable by the webserver anyway. I just wish actinic themselves would let us know a secure fix for this.
                    The web server has to be running as owner to have write access to the Actinic files when the permissions are set to 644 or 755, only the owner is allowed to write to the files. What has happened to 'sendmore' is that his host has set the web server process so that it is effectively running as the owner and therefore has write access to the file.

                    On your system you have shown that the web server is not running as the owner as you had to set the permissions to give write access to other groups.

                    The web server needs to have write access to files, this is not normally a problem as the site visitors do not have owner permissions and therefore cannot write to the files or folders, whereas the web server can.

                    Malcolm

                    SellerDeck Accredited Partner,
                    SellerDeck 2016 Extensions, and
                    Custom Packages

                    Comment


                      #40
                      Originally posted by feemish View Post
                      Still banging my head.

                      Would anyone with access to their server, and a working v10 site, who can be bothered, please have a look and tell me what the permissions are on their 'public_html' folder.

                      I imagine they're 0750, but what about the owner and group.

                      gonna be either <username> or <nobody> I expect, but which?

                      and what about the owner and group of acatalog and cgi-bin folders within public_html?
                      My root folder is set to 755

                      Malcolm

                      SellerDeck Accredited Partner,
                      SellerDeck 2016 Extensions, and
                      Custom Packages

                      Comment


                        #41
                        Originally posted by feemish View Post
                        Still banging my head.

                        Would anyone with access to their server, and a working v10 site, who can be bothered, please have a look and tell me what the permissions are on their 'public_html' folder.

                        I imagine they're 0750, but what about the owner and group.

                        gonna be either <username> or <nobody> I expect, but which?

                        and what about the owner and group of acatalog and cgi-bin folders within public_html?
                        public_html is 755

                        are you using your master ftp password and username?
                        have you created an ftp user that only has access to the public_html area and not your complete server root - which is setup by cpanel from day one.

                        I never advise anyone to use their main ftp account, the main reason being security

                        Comment


                          #42
                          Thanks for sticking with me guys... Actinic support are not helping me with this, and I'm very disappointed about that.

                          Hi Darren, I got all excited there, I thought it might be to do with using the main ftp account (which I was)
                          However I created a new ftp account with access only to 'public_html' and went through the upload process agian, but it made no difference.

                          My 'public_html' folder now has the same permissions as you 0755.

                          But I would like to know the 'ownership' of 'public_html' in working sites.
                          My ownership of 'public_html' is owner<username>:group<nobody>
                          and that is correct according to cPanel support.

                          I ask this because of a reply from our server support:

                          I have just taken a look at your server and the problem is that (almost) all the files in your webroot are owned by the user "marka24" and group "marka24". This is causing a problem because the webserver runs as user "nobody".

                          In order to enable the webserver to access those files the webserver will need permission to do so. At the moment in order to do that with and leave the current ownerships then they would need to have world read/write permissions enabled which is rather insecure.

                          Alternatively you can make the files owned by user "nobody" which will enable the webserver to have the access it requires. This could be achieved with the following command:

                          chown -R nobody:nobody /home/marka24/public_html

                          This does have the security issue that the files are owned by the webserver and could potentially be read or modified by anyone manipulating the webserver from the internet or locally on the server.

                          Alternatively, you could enable suphp/suexec for the server which will make the script files get executed as their owner rather than the webserver user. You will then not have to alter any of the ownerships but would affect every site on the server and some would doubtless need fixing after that change. This would be the most secure method of fixing this but would involve the most work.
                          Now none of these solutions seem correct to me.


                          I keep going back to Malbros answer that is that the webserver needs to be running as 'owner'. My server support clearly says that the server is running as 'nobody' I am waiting for a response from them about this, but I was under the impression servers typically ran as 'nobody'
                          Arka Tribal Jewellery

                          Comment


                            #43
                            This is the reply I got from memset support.

                            The server in question is the webserver i.e. apache. This has to run as a user. In the case of your server that user is the user "nobody". This cannot be changed. This cannot be changed, especially as there is no user "owner" on the server. The advice you got on the forum was not referring to a specific user "owner" but rather the owner of the cgi's files.

                            So in short, no, the webserver cannot be run as user "owner" nor would you want it to.

                            The resolution I have suggested; namely suexec, is the only way to give the webserver access to the website files including the cgi and other files without changing their ownership nor giving them insecure permissions.

                            Is there a particular reason that you are not considering this as an option?
                            Arka Tribal Jewellery

                            Comment


                              #44
                              Does anyone else have suphp/suexec enabled on their servers?
                              Arka Tribal Jewellery

                              Comment


                                #45
                                Yep we do.

                                acatalog is 755, cgi-bin is 755

                                You can have a temp acct with us if you like to upload a test site and compare - no charge

                                Comment

                                Working...
                                X