Welcome Guest, Not a member yet? Register   Sign In
Can't load view files created by PHP - permissions problem
#1

(This post was last modified: 08-16-2020, 07:25 AM by jreklund.)

Hi guys,

first of all you know...
I really hate it to post questions in public forums but I am so much stuck in something, I actually see no other choice.

Inside a controller I have a 'register' function.
In this function I verify 'sanitized' password and it's hash saved in the database.

In the same function I create a profile.php file under APPPATH.'Views/profiles/', change it's permissions with chmod to 755, create a directory of the same name under FCPATH./profiles/ and change the permissions with chmod to 755.
I put a sticky out there so that both directories have http:http as owner and group as opposed to my 'usual settings' of username:http.
In the latter configuration php isn't able to create files or directories.

So now, when I try to redirect to the created file (the created directory is intended for later user uploads) or load it in a view apache throws out my custom error page saying 'you don't have the privileges to access this file'.


Before I did all this work I created a 'administrator profile.php' (with the purpose to use it as a to load template later) by hand under the same directory like above and I also created the user credentials in the SQL database by hand.

The latter php file is rendered.


What could probably be the issue here?

The permissions/access rights are set equally.
Both directories have the web-server as owner and group set so that the auto creation of files is no issue for php.

I'm stuck in this box and need your appreciated advise.


Greets

Gee


CODE:


snip
PHP Code:
if (!$errors)
        {
 
            if ($session->logged_in)
            {
                $session->set('logged_in'FALSE);
            }

            $sql $db->query("SELECT * FROM user WHERE username = '$username'");
           
            
foreach ($sql->getResult('array') as $row)
            {
                // Verify password vs. stored hash
                if ($row['username'] == $username && password_verify($password$row['password']))
                {                
                    $session
->set('logged_in'TRUE);
                    $session->set('username'$username);

                // Pass forward to own Profile
                return redirect()->to('/profiles/'.$username);
                }
            


snip

PHP Code:
if ( ! is_file(APPPATH.'Views/profiles/'.$username.'.php')) {

            throw new \CodeIgniter\Exceptions\PageNotFoundException($username);
        }

        if ($username && $_SESSION['logged_in'])
        {
        
        
// Set browser tab name to user/profile name
        $this->data['title'] = $username;
        
        
echo view('header/logged_in'$this->data);
        echo view('profiles/'.$username);
        echo view('footer/copyright');
        
        
return 0;
        }
        
        
else
        {
        //
        // <TODO> Redirect if not logged_in
        //
        echo 'You are not logged in, aborting';
        return 0;            
        
}

    //
    // <TODO> 'Internal error page'
    //
    return 1;
    
Reply
#2

First of all, you are subject of SQL Injection, with this code I could grab all your data from your database or drop it. Please see the chapter about query binding.
PHP Code:
$sql $db->query("SELECT * FROM user WHERE username = '$username'"); 

The second snippet are that a Profile controller? As you only show so little about your code.

Is it this part that dies?
Code:
throw new \CodeIgniter\Exceptions\PageNotFoundException($username);

Or is it this?
Code:
echo view('profiles/'.$username);

I'm afraid we lack some details.

If you manually change the permissions of the files created by PHP, do they then work? If so, you got a permission problem, and that can't be solved with your CodeIgniter code.
Reply
#3

(This post was last modified: 08-16-2020, 09:40 AM by jreklund.)

(08-16-2020, 07:24 AM)jreklund Wrote: First of all, you are subject of SQL Injection, with this code I could grab all your data from your database or drop it. Please see the chapter about query binding.
PHP Code:
$sql $db->query("SELECT * FROM user WHERE username = '$username'"); 

No you can not.
You are outside, in the dark evil world behind my 'still quite secure' router, remote access is disabled for mysql or any other services beside NTP and HTTP and if ever, you still needed to upload some code to exploit the query.
However, thanks for the info - I'm working on it but for now it gives me the result I need to test general functionality.

(08-16-2020, 07:24 AM)jreklund Wrote: Is it this part that dies?
Code:
throw new \CodeIgniter\Exceptions\PageNotFoundException($username);

No it is not.

(08-16-2020, 07:24 AM)jreklund Wrote: Or is it this?
Code:
echo view('profiles/'.$username);

Yes, as are redirects I do to the controller responsible for the resolving of this path(s).

(08-16-2020, 07:24 AM)jreklund Wrote: If you manually change the permissions of the files created by PHP, do they then work?
No, it does not. I tried any thinkable possibility (change of user, permissions, sticky bit...)

(08-16-2020, 07:24 AM)jreklund Wrote: If so, you got a permission problem, and that can't be solved with your CodeIgniter code.
Yes, that's what I was going far from/ I'm afraid of.


How can I change the standard settings for the webserver/php configuration to let the php engine inside Apache create files with certain user:group and permission settings?

PS: The 'new user restrictions' are perhaps necessary but quite annoying
Reply
#4

If those files dosen't load with the same user:group settings as the file you created manually "administrator profile.php", I guess your automatic script didn't create them correctly. As they would successfully load.

Personally I don't have the need of multiple users on what I'm hosting, but I have corrected the group ownership with setgid in the past. Have you tried just loading the file with file_get_content? Can you read it with any PHP-script at all?

Half of what are posted in our forum are spam, and 25% of what are approved dosen't look like it and after a day or two, they edit their posts with spam. So around 25% of new users are real, so that's why it's there.
Reply
#5

(This post was last modified: 08-16-2020, 10:15 AM by bogus.)

Got it.
Yeah, sad world these days with a lot of weird people.

Sometimes I feel like, hell I am really normal... Smile

Appreciate your help 'as always'.

Catch up in a bit.

Here's one of the different, not really sophisticated approaches I took.
Before I tried other php functions like write_file etc. all with the same result - the web-server extension complains missing permissions.

PHP Code:
if( is_dir($dir) === false )
        {
            mkdir($dir,0755,true);
        }
        
        
else
        {
        //
        // <TODO> 'Username already exists page'
        //
            echo 'User directory already exist!';
        return 1;
        }
        
        
// Write template into new 'profile file'
        if ( ! copy($template$newuser))
        {
            //
            // <TODO> 'Internal error page'
            //
            echo 'Unable to copy from template!';
        return 1;
        }

        return redirect()->to('/profiles/'.$username);
        }

        else
        {
         
         
//
         // <TODO> We have errors in the submitted values, output validation custom error-messages
         //

        return redirect()->to('where ever... 


If I don't change the ownership of the directory hosting the files/directories (which are apart) , the engine doesn't create anything.
If the web-server user is the owner/group at least they are created.
Just to point out the issue once more.
Reply
#6

(This post was last modified: 08-17-2020, 12:30 PM by bogus.)

Boys, do me a favor...

I examined the base class File while trying to apply the solution proposed in the docs (creating a file instance, moving a file...).

There are some @'s in the move method which obviously don't belong there. (ester egg?)

@@ -192,14
-@

@@ -198,8
-@

After removal of these the function doesn't throw no more exception but can't chmod the newly created file as of lacking permissions.
So still a mod_php permission problem here.

Just updating in case someone else struggles with this problem.

Any help?
Reply
#7

(This post was last modified: 08-19-2020, 02:18 PM by bogus.)

/srv/http/codeigniter.tld/public/your-site.net/profiles/new_user_name/

and

/srv/http/codeigniter.tld/your-site.net/Views/profiles/new_user_name.php

doesn't work together, why is that?

Deleting the folder solved the problem I had a really hard time about.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB