Topic: PHP TMP Folder

[Smitro]

Hi all,

After upgrading to SME8 I now have a user with a wordpress website that is unable to access the Temporary Folder. I'm not sure if something has changed between versions. I would love to know how to fix this.

As I'm sure most of you would know the problem is because of the open_base_dir restriction in PHP. Now, I'm sure I could just open up all sorts of stuff and give out a stack of permissions, but I'd like to know what is the safest/secure to make this work (the best practice). I've seen some forum posts that show how to give access to the TMP folder. Should I be doing this? or should this IBAY have its own TMP folder and can we make PHP.ini point to this folder?

I've also noticed that all forum chat about this has been in past versions of SME, so I wanted to make sure of the correct commands for SME8.

[janet]

Smitro

See
http://wiki.contribs.org/PHP#Modifying_the_PHPBaseDir_setting_for_an_ibay

Create a tmp folder within the ibay or folder where the app is installed, anf specify that unique location on a per app basis.

If you use a common /tmp folder for all php apps, this could lead to cross site hacking via the common folder, so best to create individual /application.../tmp folders

[mmccarn]

Since I seem to see lots of discussion of open_basedir - /tmp related problems, I've created a new feature request in the bug tracker to set a reasonable value for upload_tmp_dir if an ibay has dynamic content enabled: http://bugs.contribs.org/show_bug.cgi?id=7011

The approach in that bug is as follows:
- create /home/e-smith/files/ibays/<ibayname>/tmp
- set ownership of the new folder appropriately (chown www:www /home/e-smith/files/ibays/<ibayname>/tmp)
- Make a custom-template copy of 95AddType00PHP2ibays:

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
cp /etc/e-smith/templates/etc/httpd/conf/httpd.conf/95AddType00PHP2ibays .
(don't miss the "." at the end of the last line)

Edit the custom-template version of 95AddType00PHP2ibays and add the three lines preceded by "+" below:
                my $basedir = $ibay->prop('PHPBaseDir')
                    || ("/home/e-smith/files/ibays/" . $ibay->key . "/");
                $OUT .= "    php_admin_value open_basedir $basedir\n";
+                my $tmpdir = $ibay->prop('PHPTmpDir')
+                    || ("/home/e-smith/files/ibays/" . $ibay->key . "/tmp");
+                $OUT .= "    php_admin_value upload_tmp_dir $tmpdir\n";
                $OUT .= "</Directory>\n";


Implement your changes using:

Code: [Select]

signal-event remoteaccess-update
NOTE:
Any ibay that has already been configured to support php uploads by adding "/tmp/" to PHPBaseDir will need to have a local ".../tmp" folder created before uploads will work again.

[newburns]

What about the "/opt" directory? I see the /home/files/ibays in your code, but I install almost everything to /opt. It makes me feel more secure. Other than SMESiteMaker, is there any other way to change open_basedir folders?

[mmccarn]

As you point out, the code I've offered only affects ibay definitions.

It would be pretty easy to add 'upload_tmp_dir' to the template fragment created by smesitemaker.  It would also be easy to add this as a default in the smesitemaker scripts (I suspect).

[Smitro]

Sorry for the late response, I've been away on holiday.

Thanks for all the replies. I really like mmccarn's method. I've implemented this. For anyone else playing along at home, don't forget before running the last command run:

Code: [Select]

expand-template /etc/httpd/conf/httpd.confThen run

Code: [Select]

signal-event remoteaccess-update
It would be great to see this as part of the default build.

[LANMonkey]

I have installed Wordpress in several of my iBays and in all of them I am unable to add media to my posts.  I get an error, "Missing a temporary folder".  After doing a bit of searching I find my way back here.

I have tried mmccarn's method and do not see any success.  I was sure to run "expand-template /etc/httpd/conf/httpd.conf" before the last signal-event as posted by Smitro.  The only thing I am confused about is "appropriate ownership" in setting the ownership of the added /tmp file.  The owner of all the other files in this Wordpress site is either admin or root.  Who should that owner be?  What about permissions?  It is currently set to 0755.  Should it be 0777?

What else could be going wrong?

This is all on SME Server 8.0

[stephdl]

please see http://wiki.contribs.org/Uploadtmpdir

the best pratice is to made a specific folder  to have an upload area for your ibay instead to have the /tmp for all php script.

or you can try to play with the phpbasedir and to allow php script to have its sandbox in /tmp

Code: [Select]

db accounts setprop ibayname PHPBaseDir /home/e-smith/files/ibays/ibayname/:/tmp/
signal-event ibay-modify ibayname

replace ibayname by the name of your ibay

[LANMonkey]

I'm sorry, I should have mentioned I visited that contrib.  I tried the first part "Template of php.ini" with no results.  I'm not sure what the rest of the instructions are about, if they are also necessary or not.  Should I also do "Template of httpd.conf" and "Specify the application tmp folder"?  And what is the relationship between the changes at this contrib and the instructions above?

But, no matter, I tried your code and now I see success.  Was your code all that was necessary, or was it that in combination mmccarn's post above?

[stephdl]

what you did is to set the phpbasedir which is a "php-jail" to use its normal jail and allow it to use also /tmp

Code: [Select]

db accounts setprop ibayname PHPBaseDir /home/e-smith/files/ibays/ibayname/:/tmp/
signal-event ibay-modify ibayname
It should works without any more other code but you can have a flaw if someone try to use/read/write file in /tmp.

The best practice is to allow a specific upload tmp folder for each ibays as suggested by my first link

[mmccarn]

stephdl's solution works fine with a potential security issue mentioned by Mary.

My post was not so much a 'how to' as a pointer to the 'new feature request' in bugzilla, so that in a future release of SME server you wouldn't need to run the commands provided by stephdl for every new webapp.

[LANMonkey]

Thanks all.  I'm going to try stephdl's solution on my other Wordpress sites tomorrow and I'll report back.

What about the contrib http://wiki.contribs.org/Uploadtmpdir?

I'm still a bit confused as to how to apply that, if at all.  Could somebody explain the procedures outlined there?

[stephdl]

stephdl's solution works fine with a potential security issue mentioned by Mary.

My post was not so much a 'how to' as a pointer to the 'new feature request' in bugzilla, so that in a future release of SME server you wouldn't need to run the commands provided by stephdl for every new webapp.

Hi
I'm currently working on a new panel for ibay (http://bugs.contribs.org/show_bug.cgi?id=8239 and http://bugs.contribs.org/attachment.cgi?id=4488) and i'm interested to solve your bug 7011.
Do you have done more work as suggested by the JPP remarks ?
Do you have made some search on the internal script event ?

[stephdl]

Thanks all.  I'm going to try stephdl's solution on my other Wordpress sites tomorrow and I'll report back.

What about the contrib http://wiki.contribs.org/Uploadtmpdir?

I'm still a bit confused as to how to apply that, if at all.  Could somebody explain the procedures outlined there?

http://wiki.contribs.org/Uploadtmpdir it is not a contrib, but a howto for developer rather than user. You cannot easily use it except that it is added in the smeserver-wordpress contribs. Therefore the quick but less safe solution is to play with PHPbasedir.

But now i have a question, your wordpress is installed by hand or by the contrib smeserver-wordpress ?

[mmccarn]

Do you have made some search on the internal script event ?

I've posted a patch to /etc/e-smith/events/actions/ibay-modify in bug 7011 that creates the tmp folder either in the root of the ibay or according to the setting of db setting for PHPTmpDir