Posted by r_honey on July 4, 2009 at 9:23am
I was trying to add a sub-folder in /public_html/sites/default/files through cPanel's built in file manager. Although it showed no error, on refreshing the directory, the folder I specified was NOT there.
I tried deleting the .htaccess file in that folder, again it could not be deleted. Trying to change its permissions to anything gave the following error in cPanel:
FileOp Failure on: /public_html/sites/default/files/.htaccess
I am effectively locked out of this folder. I cannot create/edit/remove files/folders from under it. The htaccess contants are as follows:
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
Options +FollowSymLinks
Any help would be greatly appreciated.
Comments
Here is the security page for
Here is the security page for that patch
http://drupal.org/node/65409
> Trying to change its permissions to anything gave the following error in cPanel
Try to chmod it using an ftp client (and/or ssh if you have it active in cpanel).
Once you can write to it, comment its content out like this:
# SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
# Options None
# Options +FollowSymLinks
If I remember correctly, you can't just remove the htaccess file or delete the lines,
as it all gets regenerated. Commenting out seems to work though.
Also check that your default/files directory has 664 (or maybe it needs 755) chmod
If that fixes your problem, you then have to decide what you're going to do about this.
I can't find any answers myself and decided that there is no point having a secure /files
directory if you can't serve files from it. So I left the directory at 755 chmod and left the
htaccess lines commented out. I really have no idea how insecure this is; there appears
to be many unanswered questions in the forum about this patch.
Everything I say is opinion, even if interpreted as fact.
Sometimes I may be inaccurate or *GASP* wrong!
Sometimes I attack Drupal due to frustration. Get over it.
As I see it, default/files
As I see it, default/files has 775 perms.
Currently, I was able to upload files & create sub-directories to this directory through Drupal's admin interface. So, instead of creating a security hole by commenting out those lines, I currently am inclined to leave it as it is.
Probably, later when I need to upload files manually, I might comment them out, and then recomment it after my work is done.
The information available on the link you provided:
"configurations of Apache allows execution of
carefully named arbitrary scripts in the files directory"
does not provide much information of the security issue. On the surface, the above line looks pretty much of concern to me to comment out those lines.
--
I always think tomorrow will have more time than today.
And every today seems to pass-by faster than yesterday.
http://www.rahulsingla.com
> 775 775 is ok too; I think
> 775
775 is ok too; I think that's what later version of drupal use by default during installation.
> On the surface, the above line looks pretty much of concern to me to comment out those lines.
It depends what 'typical' apache set-up they are talking about.
The security bulletin is ridiculously vague and unhelpful.
And the patch itself is obviously server dependent.
Not a job well-done IMO.
If you search drupal.org for SA_2006_006, there are lots of unanswered questions about it.
Be aware that this htaccess file also seems to break some modules that try to use the /files directory.
Everything I say is opinion, even if interpreted as fact.
Sometimes I may be inaccurate or *GASP* wrong!
Sometimes I attack Drupal due to frustration. Get over it.
Try not to mess with cPanel items
Hi,
I had been experimenting a lot and my hosting services are really sick of resetting my cPanel all the time.
Here are few things I messed with:
1. Created several folders for plug-in backups etc.
2. Deleted _cgi.bin something like that files from the public_html folder
3. Deleted .htaccess file from the public_html folder
Results:
Unzipping function doesn't work. It doesn't even regenerate the exact contents, only directories.
As for a quickie, ask your hosting services to reset your cPanel. This probably might be a new installation of cPanel on another server or the same. It would be wise to contact your hosting and even if you think they know less; yet, they are the ones who are going to help you out on .htaccess file.
As far as the directories are concerned, piece of cake. You might have noticed the permissions of every linked files within a directory. So start changing:
*Every file's permissions to code 0777 one by one. e.g.
you have folder like : public_html/sites/all/modules/etc/abc.html
start in reverse order, change permission of abc.html first, then etc then modules and so forth.
All things mentioned here are already experimented and case oriented. I hope it might help others out :)
Regards
---------
Haroon
Well, I have published a
Well, I have published a module that allows you to completely take over your Drupal files folder through Drupal's admin interface:
http://drupal.org/project/take_control
The demo of the module is here:
http://drupal.sandbox.rahulsingla.com/admin/build/take_control
--
I always think tomorrow will have more time than today.
And every today seems to pass-by faster than yesterday.
http://www.rahulsingla.com