Topic: [WORKAROUND] PHP upload and ibays

[janet]

jibe

"Open_basedir is a security function in PHP that defines the locations or paths from which PHP is allowed to access files."

Not sure if this means scripts can also access those locations (when they are in a different ibay location).
Keep reading !
Maybe you need multiple open base dir settings for each ibay if you put a script in a different ibay.
I am not a PHP person so cannot comment more specifically from experience.

Reading from here
http://wiki.contribs.org/PHP
in this section
Modifying the PHPBaseDir setting for an ibay
it implies you can do what you are asking but uses an example of an ibay & /opt subfolder, so maybe move your script somewhere else than an ibay eg under /opt/subfolder/
eg
db accounts setprop Primary PHPBaseDir /home/e-smith/files/ibays/Primary/html/:/opt/gallery2/
Above command would allow for invocation of scripts in the /opt/gallery2 path from the Primary ibay html folder by PHP.

[jibe]

http://wiki.contribs.org/PHP
in this section
Modifying the PHPBaseDir setting for an ibay

Yes, it's this page I was talking about and not retrieving in my last post 

it implies you can do what you are asking but uses an example of an ibay & /opt subfolder

Yes, but what is the difference between /opt/gallery2 and /home/e-smith/files/ibays/shared-files/html (the path of my second ibay) ? For PHP, I don't see why there would be a difference, unless some special config in SME prevents it to work... I could try to put my script in /opt, as you suggest, but not sure that it will work better, and if it does, this will only confirm that there is something special in SME...

But there could be another explanation : re-reading this page that you mention, I see :

Above command would allow for invocation of scripts in the /opt/gallery2 path from the Primary ibay html folder by PHP.

It's also possible to read a file (at least in /tmp). But it's never said that we can write elsewhere than in the main basedir (however, it's never said that we cannot...).

If I have some time, I'll make some more tries writing files. This seems to be a limit of multiple open_basedir...

[janet]

jibe

The Primary ibay is slightly different than other ibays in that it has default settings that are not easily changed.
So as has been previously advised to you, it is best to avoid using the Primary ibay.

I never use it & always point any main domain to a specific ibay as there is better control possibilities with regular ibays.

/opt does not have default ibay configuration possibilities or limitations. You will have to specifically configure those settings.

/opt is a safe place to put scripts as they are not accessible to Internet users unless you specifically allow it, although the sme server system can access /opt. You may have to configure settings within apps & set suitable permissions to allow that.

It is indeed my suggestion that you put your scripts into /opt/subfolder

ibays are special places & have a lot of default protection enabled, sme by default is locked up very tightly, something which newcomers find hard to deal with, when coming from other Linux distros which are somewhat more open but less secure.

I strongly suggest you install some of the web contribs that install to /opt & examine the templates that they install as you will see how to configure /opt appropriately to allow web access etc, & set up aliases eg Joomla, maybe Gallery IIRC, Wordpress & quite a few others, see the Contribs page & the Howtos. Look also at the Contrib or Howto that lets you manually setup any web app etc (forget it's name off the top of my head & I'm on a mobile so less easy to look it up).

Edit: See for example
http://wiki.contribs.org/SME_Site_Maker
and
http://wiki.contribs.org/Web_Application_RPM

[CharlieBrady]

What am I missing or doing wrong ?

You need to read the log messages carefully. "No such file or directory" is not an OpenBasedir restriction, and not a file system permission issue.

[jibe]

Hi,

Back again after a long time away...

@ janet :

Thanks for your advices. For now, the workaround I am using is working well, so I will keep it. It's true that for what I want to do, ibays are probably not very good and /opt could be better... I just do not like to use /opt on SME, as it is like using it as any LAMP, and do not think to use it in special cases where it could be better.

@ CharlieBrady :

Sorry, but you did not read carefully what I wrote 

In the script I gave in my first post, I had a bad path. This gives me a "No such file or directory" error in /var/log/messages. But if I put ../../shared_files/html or $_SERVER['DOCUMENT_ROOT']/../../shared_files/html, I get a "Permission denied" error, when I should be able to write in this ibay, as the rights are UserAccess=wr-group-rd-everyone with Group=shared.

[janet]

jibe

No one can access /opt unless you specifically allow it.

The configurable permissions for ibays that you mention, are only applicable to samba (local networking) access & ftp access, & have nothing to do with web access.  Check in server manager when setting up an ibay, read the field description which says "User access via file sharing or user ftp"

Web access permissions in ibays are totally different & managed differently, & you have not allowed for that, that's why you have found a need to use a script to move the files.

[jibe]

Hi janet,

Sorry that I was probably not clear enough in my last post... Seems that we don't talk about the same thing !

The quotation about my own post on july,15 was just to say to Charlie that the real problem was not a "No such file or directory" message, but a "Permission denied" error. Since this time, I understood that it was not a problem with the configurable permissions of the ibay in the server-manager, but something with open base dir or something else regarding the web access permissions.

As it seems more complex than I thought first, I made a workaround and decided to study that better when I'll have time. Even if /opt could be a good solution, I will not change my workaround as it works well. I consider that my problem is solved now, and that I have to re-study what I did not understand well about web access in the ibays.

Anyway, thanks to everybody for the help 

[Sparkey]

I had a similar issue at work with wanting to allow customer to upload art files to a location and then, without any other tasks, allow users within the internal network to have access to these files.

What I ended up doing is:

Installed the Shared Folders contrib and the Web Shares contrib.

The webshare contrib allowed me to set-up accounts for different customers with username/password access where they could upload files via php.

I then created a fileshare folder using the SharedFolders contrib with group access assigned to all internal users.

Then within the file share, created folders with the same name as the webshares created for the remote customers and then wrote a small script that uses the Mount --Bind command to link the sub directories under fileshare to the webshares I created for customers.

The end result is that customers have a secure login to upload and download artwork/artfiles and the internal users in our company also have access to these same files via the fileshare shared folder.

The only task I have to do is remember to modify the Bind script when a new webshare is created.  Maybe someday I will make a contrib that would you update this from the web administration panel.  But until that time it is manual.

Mark

[jibe]

Hi,

Thanks for your explanation, Sparkey.

What I see is that you installed 2 contribs and finished with a script, when I just use a script without need of any contrib   

Just joking : I never used those contribs and don't know them, but probably your solution is more secure than mine.

[janet]

jibe

Webshare can be installed to an ibay (rather than /opt) & configured to allows users to have samba access to the files, as well as web access to upload & download files, & it authenticates against sme users,
see
http://wiki.contribs.org/Webshare#Using_with_ibays_.26_SME_users

[Sparkey]

Hi,

Thanks for your explanation, Sparkey.

What I see is that you installed 2 contribs and finished with a script, when I just use a script without need of any contrib   

Just joking : I never used those contribs and don't know them, but probably your solution is more secure than mine.

FWIW, I'm sure there are many ways to accomplish what I did.  Since I needed each customer to have their own access/data area, I felt the contribs I used were the easiest way for me.  Plus it allows me to easily disable or change access ID's and passwords for remote users.