Correct CMOD settings for smarty3, subfolders and their users

TupambAdmin [stable]

5 months ago • •

TupambAdmin [stable]
5 months ago • •

Correct CMOD settings for smarty3, subfolders and their users

Hi there @Friendica Support ,
this question is related to this help request:
frio theme - Service Unavailable
https://tupambae.org/display/0ac89072-9165-5e71-7f9f-916750014598

I had a look at the smarty CHMOD settings and found the following:

drwxrwxr-x 3 www-data www-data 4096 Nov 8 20:23 smarty3
If I'm not wrong that's CMOD 775 (rwx|rwx|r-x) (?)

Hi there @Friendica Support ,
this question is related to this help request:
frio theme - Service Unavailable
https://tupambae.org/display/0ac89072-9165-5e71-7f9f-916750014598

I had a look at the smarty CHMOD settings and found the following:

drwxrwxr-x 3 www-data www-data 4096 Nov 8 20:23 smarty3
If I'm not wrong that's CMOD 775 (rwx|rwx|r-x) (?)

In the installation process the commands to create the smarty folders were:
www-data@VPShosting:~/html$ mkdir -p view/smarty3
www-data@VPShosting:~/html$ chmod 775 view/smarty3
see:
https://squeet.me/display/962c3e10-1565-2eab-e611-2a9750230278
https://tupambae.org/display/0ac89072-2065-5da2-9124-8b5839853793
--
I looked into the subfolders and found:

rootname@VPShosting:/var/www/html/view/smarty3# ls -l
drwxr-xr-x 222 www-data www-data 4096 Nov 25 17:20 compiled => CMOD 755 (rwx|r-x|r-x) (?)
--
The folder "compiled" has a long list of sub-folders apparently each having 2 more steps of sub-folders.

rootname@VPShosting:/var/www/html/view/smarty3/compiled# ls -l
total 880

I found two types of folders, some few created on different dates strangely belonging to the user root instead of www-data, here two examples and how those two types of subfolders look like.
I guess the folders owned by root are wrong?
--------------------
drwxr-xr-x 3 root root 4096 Nov 12 04:35 00
-
rootname@VPShosting:/var/www/html/view/smarty3/compiled/00# ls -l
drwxr-xr-x 3 root root 4096 Nov 12 04:35 d4 => CMOD 755 (rwx|r-x|r-x) (?)

rootname@VPShosting:/var/www/html/view/smarty3/compiled/00/d4# ls -l
drwxr-xr-x 2 root root 4096 Nov 12 04:35 ec => CMOD 755 (rwx|r-x|r-x) (?)

rootname@VPShosting:/var/www/html/view/smarty3/compiled/00/d4/ec# ls -l
-rw-r--r-- 1 root root 675 Nov 12 04:35 00d4eca105abd94437094f3d4409477acb55526a_2.string.php => CMOD 644 (rw-|r--|r--) (?)
--------------------
drwxr-xr-x 3 www-data www-data 4096 Nov 22 20:25 01
-
rootname@VPShosting:/var/www/html/view/smarty3/compiled/01# ls -l
drwxr-xr-x 3 www-data www-data 4096 Nov 22 20:25 97 => CMOD 755 (rwx|r-x|r-x) (?)

rootname@VPShosting:/var/www/html/view/smarty3/compiled/01/97# ls -l
drwxr-xr-x 2 www-data www-data 4096 Nov 22 20:25 f2 => CMOD 755 (rwx|r-x|r-x) (?)

rootname@VPShosting:/var/www/html/view/smarty3/compiled/01/97/f2# ls -l
-rw-r--r-- 1 www-data www-data 6140 Nov 22 20:25 0197f2d4b23957a898d38870d6c6a3775da487ff_2.file.group_side.tpl.php => CMOD 644 (rw-|r--|r--) (?)

Tutorial

2023-11-22 21:24:15

frio theme - Service Unavailable

Hi there @Friendica Support
just changed on this profile to FRIO as VIER seems to basically not perform the basic functions.
When I try to go to the settings page I get a "Service Unavailable" page.
What should I do?
friendica 2023.05 - firefox

@Friendica Support

in reply to TupambAdmin [stable]

utopiArte

in reply to TupambAdmin [stable] • 5 months ago • •

Just checked all the 13 of 220 folders that were created as belonging to user and group root and that I consider shouldn't exist as owned by root i the folder /smarty3.

In general terms speaking I couldn't find a common property.

They refer to posts or replies by three different users.

Most refer to one specific post.

Two create a page:
Not Found
The requested item doesn't exist or has been deleted.
Request: XYZ

All were created with the theme VIER.

in reply to TupambAdmin [stable]

utopiArte

in reply to TupambAdmin [stable] • 5 months ago • •

New error message (of FRIO) about a folder created by the user root.

I haven't found the extensive conversation about this problem with @Hypolite Petovan yet but I'm quite sure that I changed all folders to ownership of user www-data before 28th of November of the smarty folder. Actually there was another conversation about ownership of folders and I changed all folders to be owned by root except storage and view that day on 02:45hs, the new folder owned by root at /view/smarty3/compiled/ like stated below was created on 3:50hs.

As for what I remember of all the conversations this shouldn't have happened.

Service Unavailable
unable to create directory /var/www/html/view/smarty3/compiled/7c/ea/e6

Exception thrown in /var/www/html/src/Core/Renderer.php:

New error message (of FRIO) about a folder created by the user root.

As for what I remember of all the conversations this shouldn't have happened.

Service Unavailable
unable to create directory /var/www/html/view/smarty3/compiled/7c/ea/e6

Exception thrown in /var/www/html/src/Core/Renderer.php:90
Stack trace:
#0 /var/www/html/mod/photos.php(902): Friendica\Core\Renderer::replaceMacros()
#1 /var/www/html/src/LegacyModule.php(96): photos_content()
#2 /var/www/html/src/LegacyModule.php(73): Friendica\LegacyModule->runModuleFunction()
#3 /var/www/html/src/BaseModule.php(244): Friendica\LegacyModule->content()
#4 /var/www/html/src/App.php(703): Friendica\BaseModule->run()
#5 /var/www/html/index.php(52): Friendica\App->runFrontend()
#6 {main}

Console research result

rootname@VPShosting:/var/www/html/view/smarty3/compiled# ls -l
..
drwxr-xr-x 5 www-data www-data 4096 Dec 6 00:40 7b
drwxr-xr-x 3 root root 4096 Nov 28 03:50 7c
drwxr-xr-x 3 www-data www-data 4096 Nov 28 02:45 7d
..
-----------------
rootname@VPShosting:/var/www/html/view/smarty3/compiled# cd 7c
rootname@VPShosting:/var/www/html/view/smarty3/compiled/7c# ls -l
total 4
drwxr-xr-x 3 root root 4096 Nov 28 03:50 d2
rootname@VPShosting:/var/www/html/view/smarty3/compiled/7c# cd d2
rootname@VPShosting:/var/www/html/view/smarty3/compiled/7c/d2# ls -l
total 4
drwxr-xr-x 2 root root 4096 Nov 28 03:50 69
rootname@VPShosting:/var/www/html/view/smarty3/compiled/7c/d2# cd 69
rootname@VPShosting:/var/www/html/view/smarty3/compiled/7c/d2/69# ls -l
total 4
-rw-r--r-- 1 root root 710 Nov 28 03:50 7cd2693513597460a71347ba02d3179c5e5ab822_2.string.php

nano 7cd2693513597460a71347ba02d3179c5e5ab822_2.string.php

<?php
/* Smarty version 4.3.1, created on 2023-11-28 03:50:02
  from '7cd2693513597460a71347ba02d3179c5e5ab822' */
/* @var Smarty_Internal_Template $_smarty_tpl */
if ($_smarty_tpl->_decodeProperties($_smarty_tpl, array (
  'version' => '4.3.1',
  'unifunc' => 'content_6565636a645732_50647552',
  'has_nocache_code' => false,
  'file_dependency' => 
  array (
  ),
  'includes' => 
  array (
  ),
),false)) {
function content_6565636a645732_50647552 (Smarty_Internal_Template $_smarty_tpl) {
?>[url=https://tupambae.org/profile/utopiarte]utopiArte[/url] replied to you on [url=https://tupambae.org/display/0ac89072-1065-6562-6405-8bb240314547]"bugreport - can't answer, like or reshare posts"[/url]<?p>

#1 #2 #3 #4 #6 #5 @Hypolite Petovan

in reply to utopiArte

Hypolite Petovan

in reply to utopiArte • 5 months ago • •

@utopiArte @TupambAdmin [stable] Are you by any chance running your Friendica cron jobs as root? It should run as www-data. Same question if you're using the daemon.

@utopiArte

in reply to Hypolite Petovan

utopiArte

in reply to Hypolite Petovan • 5 months ago • •

Not using daemon but CRON.

I guess that is running as root ..

in reply to utopiArte

utopiArte

in reply to utopiArte • 5 months ago • •

@Hypolite Petovan

So this is a "tricky" one for me as I have no idea what or how to do this.
In the helpers page:
https://tupambae.org/help/Install#cron+job+for+worker
it only states:

helpers page wrote:

cron job for worker
If you are using a Linux server, run "crontab -e" and add a line like the one shown, substituting for your unique paths and settings:

I did my installation with the help of @hankg's tutorial:
https://www.nequalsonelifestyle.com/2022/07/30/creating-friendica-server-ubuntu/#creating-workers

ubuntu install tutorial wrote:

First log into the server through SSH using your root@<domain> user. Then execute the crontab edit command:
sudo crontab -e

How do I set this so "It should run as www-data."
??

Tutorial: Creating a Friendica Server with Ubuntu 22.04

The main Friendica documentation has install instructions for setting up the core part of the system. However it assumes that you have properly installed all the dependencies and leaves securing the system as an exercise to the user.

^{N=1 Lifestyle}

@Hypolite Petovan

in reply to utopiArte

Hypolite Petovan

in reply to utopiArte • 5 months ago • •

@utopiArte Prepend the php command with su -u friendica and the command will be ran as www-data.

@utopiArte

in reply to Hypolite Petovan

utopiArte

in reply to Hypolite Petovan • 5 months ago • •

Something like this?

# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
*/5 * * * * cd /var/www/html; su -u friendica /usr/bin/php bin/worker.php

in reply to utopiArte

Hypolite Petovan

in reply to utopiArte • 5 months ago • •

@utopiArte Looks good to me, you should run it once as root to make sure it doesn't fail horribly.

@utopiArte

in reply to Hypolite Petovan

utopiArte

in reply to Hypolite Petovan • 5 months ago • •

As off now it was running like this:
*/5 * * * * cd /var/www/html; /usr/bin/php bin/worker.php

Your suggestion:
php command with su -u friendica
*/5 * * * * cd /var/www/html; su -u friendica /usr/bin/php bin/worker.php

What we didn't actually clarified is what friendica stands for.
Like to say, is it a "place holder", a variable for a user or application name?
Is "friendica" defined as such in worker.php?
Or would it actually be www-data?

in reply to utopiArte

Hypolite Petovan

in reply to utopiArte • 5 months ago • •

@utopiArte Sorry, friendica is the name of my local node web server user. You should be writing www-data instead.

@utopiArte

in reply to Hypolite Petovan

Nanook

in reply to Hypolite Petovan • 5 months ago • •

@Hypolite Petovan @utopiArte In my case, php software runs with the owners id of that software, so that every application runs with it's own id, this is much more secure than the www-data for everything scheme because in that scheme one application can write over all others or even itself, not good. This way a flaw in an application can only result in damage to that application.

@Hypolite Petovan @utopiArte

in reply to Nanook

utopiArte

in reply to Nanook • 5 months ago • •

learning question:
(some maybe "notes to myself to investigate")

When is that php software setting actually done?

I'm still working on that friendica for ubuntu VPS installation tutorial and at the same time (of course) starting to wonder about adding more sites, friendica or maybe other site software to the server I'm testing around with and actually just started to wonder how to separate for example two friendica instances to not use two times www-data for example. Like to get as differentiated permission and access settings as possible.

In the case of DB user and DB's themselfs that's more than obvious, but how when or where does the (in this case) www-data setting take place?

When pulling from github into the prepared (in this case) /html folder?
Or the subsequent bin/composer.phar install --no-dev step?

What happens if I try now to create a folder tree for several domains/subdomains and move/rename the exis

in reply to Hypolite Petovan

utopiArte

in reply to Hypolite Petovan • 4 months ago • •

Well, this;
*/5 * * * * cd /var/www/html; su -u www-data /usr/bin/php bin/worker.php
.. didn't work out.

Looks like cron job didn't execute at all.

The last worker execution was on 2023-12-22 16:25:28 UTC. This is older than one hour. Please check your crontab settings.

in reply to utopiArte

TupambAdmin [stable]

in reply to utopiArte • 3 months ago • •

Still monitoring this and wondering if some setting and changes while moving the server has to do with this.
Right now there are folder structures like the mentioned created and visible in /smarty3 and /storage.

Of the two folders that have root as owner in the /smarty3 folder, there is one subfolder that exists in the /storage folder and one that doesn't.

The one that does exist in /storage and /smarty3 has the same creation date (Nov 28 2023).

It actually points right now to this very answer above:
/display/0ac89072-1165-95dc-31ec-a8a342054692

That folder contains an completely unrelated unknown avatar.

While trying to nano the file contained in the other folder right now the following message came up:
"File root is being edited by root (with nano 6.2, PID 3334); open anyway?"

Opening anyway gave an empty nano editor with something like 1/7.
Trying to leave with [ctrl-X] and [N] wasrejected and an empty nano editor with 1/2 showed up on top.
Closed the SSH window o escape this.

utterly strange

in reply to TupambAdmin [stable]

utopiArte

in reply to TupambAdmin [stable] • 3 months ago • •

I start getting the feeling that the admin profile has or had the ability to publish as root.

There is specifically one post right now that is public where this profile commented on. That post shows up on the profile page but when this profile tries to open it or even open a notification of an answer on that post done by the admin profile a blank page get's displayed. Occasionally with a code error, occasionally with nothing at all.

This is the link of the latest notification that display a blank page:
https://tupambae.org/display/0ac89072-4065-b25c-c45a-703128708436

Server settings

Server settings and modification (since the server migration, see old settings here)

^tupambae.org

in reply to utopiArte

utopiArte

in reply to utopiArte • 5 months ago • •

Here is the previous conversation about this where I described when and how I changed the access settings of the installation and folders.

utopiArte

2023-11-27 16:44:52

Implications of access by the user www-data to all friendica folders

@Friendica Support
Hi there,
the friendica helpers page describes the installation process of friendica as follows:
/help/Install: wrote:
The Linux commands to clone the repository into a directory "mywebsite" would be
git clone https://github.com/friendica/friendica.git -b stable mywebsite
cd mywebsite
bin/composer.phar install --no-dev
Make sure the folder view/smarty3 exists and is writable by the webserver user, in this case www-data
mkdir -p view/smarty3
chown www-data:www-data view/smarty3
chmod 775 view/smarty3
Get the addons by going into your website folder.
cd mywebsite
Clone the addon repository (separately):
git clone https://github.com/friendica/friendica-addons.git -b stable addon
askubuntu.com: wrote:
What is the www-data user?
https://askubuntu.com/questions/873839/what-is-the-www-data-user
The web server has to be run under a specific user. That user must exist.
If it were run under root, then all the files would have to be accessible by root and the user would need to be root to access the files. With root being the owner, a compromised web server would have access to your entire system. By specifying a specific ID a compromised web server would only have full access to its files and not the entire server.
I guess this observation goes both ways, a compromised friendica instalation get's access to all the friendica folders if I choose to first create/activate the www-data user, than create the friendica installation folder structure, than git clone friendica, than create the smarty3 folder and ultimately do the git clone of the addon folder as described here:
https://tupambae.org/display/0ac89072-2065-5da2-9124-8b5839853793
The order in which the creation of www-data related folders in the above case is described makes all folders and files in the friendica directory belong to www-data.
In the friendica help description first comes the git-clone, than the the smarty3 folder part than the addon git-clone. Actually I guess that last part would make the addon folder belong to www-data too if I run one command after another. Is that intended?
I wonder if this could have some kind of security implications.
I guess www-data is somehow the friendica site and has permissions to do "what ever it wants" (-> "writable by the webserver user") with all the folders in the friendica directories if it's the owner of them.

@TupambAdmin [stable]

What is the www-data user?
I'm working through How To Serve Django Applications with uWSGI and Nginx on Ubuntu 16.04. At the end of the "Create a systemd Unit File for uWSGI" in the article they discuss the www-data user. W...
^{Ask Ubuntu}

in reply to utopiArte

utopiArte

in reply to utopiArte • 5 months ago • •

🙁
f***, just pulled the whole link into this

😞

Lo, thar be cookies on this site to keep track of your login. By clicking 'okay', you are CONSENTING to this.

⇧