Topic: Phreebooks install (accounting/ERP package)

[janet]

Charles2008

This page
http://wiki.contribs.org/DB_Variables_Configuration#Apache_server_ibay_specific_.28httpd-e-smith.29
lists the default PHP base dir location for an ibay when not specified by a db commands as being    
/home/e-smith/files/ibays/ibayname
So if PHP tries to write to other folders then it gives an error.
Commonly php apps are configured by default to to write to /tmp or ....ibays/ibayname/html/tmp


To clarify, this is the generic form of the command
db accounts setprop ibayname PHPBaseDir DIR1:DIR2:DIRn
signal-event ibay-modify ibayname

Example
db accounts setprop myibay PHPBaseDir /home/e-smith/files/ibays/myibay/:/tmp
signal-event ibay-modify myibay

This actually specifies two directories (or more if required), the colon seperator allows the entry of additional directories that PHP can access, and the trailing slash limits access to that directory only (and I believe not to sub directories under that folder).

Using the above gives PHP access to the myibay ibay folder and to (top level) /tmp

For security reasons the /tmp folder should not be used as a common folder by different ibays or webapps (wherever installed) so as to avoid cross site hacking, where bad code can be injected into the /tmp folder from one app, and then affect (or infect) other site apps using the same /tmp folder.


If you want to give access only to the tmp folder within an ibay, which is a much more secure approach (and generally recommended), then this would be appropriate

db accounts setprop myibay PHPBaseDir /home/e-smith/files/ibays/myibay/html/tmp/

If the site requires other folders to be accessed by PHP, then specify a second location as follows, while still keeping (using) the original tmp location within the ibay structure.
db accounts setprop myibay PHPBaseDir /home/e-smith/files/ibays/myibay/html/tmp/:/someotherfolder/tmp/

I think the PHP wiki articles need some updating & clarification, as the commands vary slightly depending where you read it, and while they are correct they are also confusing & possibly even misleading, and suggesting less secure methods (by using a common /tmp).

This post
http://forums.contribs.org/index.php/topic,45422.msg221400.html#msg221400
and a few others on the forum talk about the concept, although note that the author has his command incorrect as the ibay name is in the wrong location in the db command (a typo ?).

Search the forums on PHPBaseDir if you are interested.
I even wrote a good one back in 2010 here
http://forums.contribs.org/index.php/topic,42799.msg224749.html#msg224749
although I think I made a typo too !!!

Hope this is all correct and make sense.

[guest22]

@Mary,

just to double check and my understanding if I may.

Assumption 1.
The PHPBaseDir directive is to tell the SME *WEBSERVER* where a PHP application in that specific iBay has access to on the filesyste, for per default PHP xecution and filesystem access is 'jailed' to only the html directory of the iBay.

Assumption2.
The upload_tmp_dir is to tell the *PHP APPLICATION* what location on the filesystem to use as a temp dir

Assumption 3.
For the what Charles2008 is trying you need both directives set for the PHP application specifically uses upload_tmp_dir setting and not a general /tmp setting.

Any thoughts on this? (anyone?)

Regards,
guest

[Charles2008]

Mary

Another superb post. I will have to spend some time going through the threads you have indicated.

I must say that, although it does seem complicated, the idea of non-common /tmp directories makes perfect sense from a security angle. It is all becoming a little clearer to me, and somewhat less daunting.

Thanks once again for your valuable input.




RequestedDeletion

I missed your cryptic comment on first read but have since picked it up on re-read - is this the line in the httpd.conf file that you have spied:

Code: [Select]

php_admin_value open_basedir /home/e-smith/files/ibays/accounts/:/tmp/
does this suggests that my first attempt at doing it 'Mary's way' had some effect (I think so)?
Shouldn't this have worked?

BTW, I checked, I didn't have a local /tmp directory (but then again, not a surprise as I knew nothing about it then)
I have one now!

Is there an easy fix here?

[johnp]

I think if you follow Mary's suggestion and replace the myibay with your name i.e accounts you will be set

db accounts setprop myibay PHPBaseDir /home/e-smith/files/ibays/myibay/html/tmp/

[guest22]

Charles2008,

indeed we need to elaborate in more detail n PH setting in iBays and in general. Sorry for the confusion and thank you for not giving up.

Please look at my last post @Mary with my assumptions. I'm pretty sure they are 
basically correct and should help you to understand /tmp.

SME Server 8 installs WITH a /tmp directory, so if it is not there, something is wrong.

I'm off line for the next day or 2 so I hope others will pick up on your venture.

Good luck, and thanks for your persistency

Regards,
guest
 

[Charles2008]

I have just done the following on the console:

Code: [Select]

db accounts setprop accounts PHPBaseDir /home/e-smith/files/ibays/accounts/html/tmp/

Code: [Select]

signal-event ibay-modify accounts
and now when I browse to:

https://my-server-ip/accounts

I get a white screen 

I am also off for a couple of days and I will have another bash at this when I get back.
Thank you for all your help.
Charles

[johnp]

do you have a tmp directory in your html folder?

[Charles2008]

Yes. I put it there just prior to entering the above 2 lines.

[Charles2008]

When I re-run:

Code: [Select]

db accounts setprop accounts PHPBaseDir /home/e-smith/files/ibays/accounts/html/:/tmp/
signal-event ibay-modify accounts
back comes the Phreedom login screen. This is repeatable.

I also did a :

Code: [Select]

# locate /tmp
/tmp
/etc/cron.daily/tmpwatch
/etc/cron.daily/tmpwatch-formmagick
/etc/e-smith/events/bootstrap-console-save/templates2expand/Maildir/tmp
/etc/e-smith/events/email-update/templates2expand/Maildir/tmp
/etc/e-smith/skel/e-smith/Maildir/tmp
/etc/e-smith/skel/user/Maildir/tmp
/etc/e-smith/skel/user/Maildir/.junkmail/tmp
/home/e-smith/Maildir/tmp
/home/e-smith/Maildir/.junkmail/tmp
/home/e-smith/files/ibays/accounts/html/tmp
/home/e-smith/files/users/cb/Maildir/tmp
/home/e-smith/files/users/cb/Maildir/.junkmail/tmp
/usr/tmp
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/POSIX/tmpfile.al
/usr/sbin/tmpwatch
/usr/share/man/man8/tmpwatch.8.gz
/var/tmp
The local i-bay /tmp directory is there.

Also, when I follow Mary's implied command above to give Phreedom access to both local and SME wide (only one level down) /tmp I get the 'white screen' again:

Code: [Select]

db accounts setprop accounts PHPBaseDir /home/e-smith/files/ibays/accounts/html/tmp/:/tmp/


RequestedDeletion

here are the permissions:

Code: [Select]

ls -al  /home/e-smith/files/ibays/accounts/html
total 60
drwxrwsr-x 10 root www  4096 Dec 16 19:40 .
drwxr-xr-x  6 root root 4096 Sep 23 16:35 ..
-rw-rw-r--  1 www  www  1406 Dec 11 00:46 favicon.ico
drwxrwsr-x  3 www  www  4096 Dec 13 10:48 includes
-rw-rw-r--  1 www  www  3173 Dec 11 00:46 index.php
-rw-rw-r--  1 www  www  2237 Dec 11 00:46 install.txt
drwxrwsr-x 10 www  www  4096 Dec 11 00:46 modules
drwxrwsr-x  4 www  www  4096 Dec 13 10:48 my_files
-rw-rw-r--  1 www  www    30 Dec 11 00:46 robots.txt
drwxrwsr-x  4 www  www  4096 Dec 11 00:46 soap
drwxrwsr-x  3 www  www  4096 Dec 11 00:46 themes
drwxrwsr-x  2 root www  4096 Dec 16 19:40 tmp
-rw-rw-r--  1 www  www  3894 Dec 11 00:46 upgrade.txt
drwxrwsr-x  2 www  www  4096 Dec 10 23:12 var
drwxrwsr-x  5 www  www  4096 Dec 11 00:47 xinstall
Changing ownership of local i-bay /tmp:

Code: [Select]

chown www:www /home/e-smith/files/ibays/accounts/html/tmp
It is now www:www.

The Phreedom login screen still dissapears after entering:

Code: [Select]

db accounts setprop accounts PHPBaseDir /home/e-smith/files/ibays/accounts/html/tmp/
signal-event ibay-modify accounts
and reappears after entering:

Code: [Select]

db accounts setprop accounts PHPBaseDir /home/e-smith/files/ibays/accounts/html/:/tmp/
signal-event ibay-modify accounts
When I try and make BOTH /tmp directories available to Phreedom, local i-bay /html/tmp and SME wide /tmp (one level down), I get the 'white screen' also:

Code: [Select]

db accounts setprop accounts PHPBaseDir /home/e-smith/files/ibays/accounts/html/tmp/:/tmp
signal-event ibay-modify accounts
...  Can I feel a 'custom-template' coming on (or perhaps it is more serious, a 'custom-template fragment' - yikes)?

Apologies in advance for the copying of my terminal entries - I feel that it is going to be very obvious to most in the know, what silly mistake I am making.
Charles

[guest22]

@Charles2008

What is you enter the following command?

Code: [Select]

db accounts setprop accounts \
AllowOverride All \
FollowSymLinks enabled \
Group www \
PHPBaseDir /home/e-smith/files/ibays/accounts/html/tmp \
PublicAccess private \
UserAccess wr-group-rd-everyone

signal-event ibay-modify accounts

[Charles2008]

HF  Welcome back!

I did as you suggested.
From browser:

https://server-ip-address/accounts

Now unable to establish connection with server.
Also tried from browser:

https://server-ip-address/server-manager

No longer a connection here either
Still quietly confident this end

Charles

[guest22]

hmmm

can you try:

db accounts setprop accounts PublicAccess gobal

and

signal-event ibay-modify accounts

[Charles2008]

done

Still 'Unable to connect'

[Stefano]

db accounts setprop accounts PublicAccess gobal

should be

Code: [Select]

db accounts setprop accounts PublicAccess global

Charles2008: if you are unable to connect to server-manager, before trying anything else, check your logs to find what's going wrong

@RequestedDeletion: if OP reports an error, before suggesting to make other modifications, we should help him to understand what's going on.. all IMVHO

[Charles2008]

stefano

Well spotted - thank you. I should have seen that also. That is the danger of a quick 'copy and paste'.


HF

OK, so now I can access 'server-manager' but there is a 'white screen' for 'accounts' from the browser.
BTW I would like to thank you very much for trying to help me  -  without your help (and the help of Mary et al) I would be well and truly lost.


Charles