If I create a node and attach a file to it, then try to run 'provision backup' from either the cli or from the Aegir web UI the tar command fails because the newly uploaded file is owned by www-data.www-data.

Here is the files dir containing the newly uploaded load2.png:

aegir@www-qa01-cois:~$ ll platforms/dev/drupal-6.14/sites/kickoff-demo.qa01.localhost/files/
total 60
drwxrws--- 5 aegir    www-data  4096 Dec 22 10:01 ./
drwxr-xr-x 5 aegir    aegir     4096 Dec 16 11:37 ../
-rw-rw-r-- 1 www-data www-data    93 Dec 22 10:01 .htaccess
drwxrws--- 2 aegir    www-data  4096 Dec 16 11:37 images/
-rw------- 1 www-data www-data 33269 Dec 22 10:01 load2.png
drwxrws--- 2 aegir    www-data  4096 Dec 16 11:37 pictures/
drwxrws--- 2 aegir    www-data  4096 Dec 22 10:01 tmp/
aegir@www-qa01-cois:~$

The provision backup command with verbose enabled:

aegir@www-qa01-cois:~$ /var/aegir/drush/drush.php -v --root=/var/aegir/platforms/dev/drupal-6.14 provision backup kickoff-demo.qa01.localhost
Initialized Drupal 6.14 root directory at                               [notice]
/var/aegir/platforms/dev/drupal-6.14
Undefined index:  base_url                                              [notice]
Undefined index:  db_url                                                [notice]
Initialized Drupal site kickoff-demo.qa01.localhost at                  [notice]
sites/kickoff-demo.qa01.localhost
mysqldump --defaults-file=/dev/fd/3                                     [notice]
-rsites/kickoff-demo.qa01.localhost/database.sql site_548
Undefined variable: indent                                              [notice]
Executing: mysqldump --defaults-file=/dev/fd/3 -rsites/kickoff-demo.qa01.localhost/database.sql site_548
tar -C                                                                  [notice]
/var/aegir/platforms/dev/drupal-6.14/sites/kickoff-demo.qa01.localhost
-p -c -f
/var/aegir/backups/kickoff-demo.qa01.localhost-2009-12-22.tar .
Executing: tar -C /var/aegir/platforms/dev/drupal-6.14/sites/kickoff-demo.qa01.localhost -p -c -f /var/aegir/backups/kickoff-demo.qa01.localhost-2009-12-22.tar .
  tar: ./files/load2.png: Cannot open: Permission denied
  tar: Error exit delayed from previous errors
Could not back up sites directory for drupal                         [error]
An error occurred at function :                                      [error]
drush_provision_drupal_provision_backup
Deleted mysql dump from sites directory                                [message]
Command dispatch complete                                               [notice]

Comments

Anonymous’s picture

Anonymous (not verified) commented

The problem is that the uploaded file has permissions 600. Although aegir user is likely a member of the www-data group, the group has no permissions on this file.

Not sure why your file has 600 permissions, possibly a umask thing? I can't reproduce.

bwood’s picture

bwood commented

Hi Mig,

Thanks for the response.

Forgot to mention that I'm using Ubuntu 8.04. Apache and mod_php were installed from the Ubuntu repositories. What distro are you using? What permissions does the file have when you attach it to a node (using upload module that is part of D6 core)?

/etc/apache2/envvars seems to be the correct place to set a umask for apache: http://ubuntuforums.org/showpost.php?p=3370744&postcount=2 Is the fix for Ubuntu users to set a umask so that all uploaded files are group readable? Security implications to that?

http://httpd.apache.org/docs/2.2/env.html

Brian

[edit: "envvars" and apache.org link]

Anonymous’s picture

Anonymous (not verified) commented

Mine are 664 and I'm running Debian Lenny, using nothing but defaults. 664 being umask 002, how about that :)

I don't see a problem with you enabling read access on the group, since the group is www-data, and the only members are the apache user and aegir.

Can't explain why it works off the bat with Debian, pretty sure I haven't changed anything like that (and no umask in my envvars, and the default umask on the system is 022 which is standard)

bwood’s picture

bwood commented
Status: Active » Closed (fixed)

Setting umask in envvars had no effect. New files were still uploaded as www-data.www-data, 0600 after an apache restart.

This seems to be the problem:


On PHP previous to version 5.2.5, move_uploaded_file() doesn't respect the umask if the file is just moved (renamed). For details, see PHP bug #42291.

(source: http://drupal.org/project/umask, http://bugs.php.net/bug.php?id=42291)

I'm running the latest Ubuntu php version 5.2.4. Are you running 5.2.5 or later?

Since this is not related to Aegir, I'm marking my issue "closed."

anarcat’s picture

anarcat commented

See also #203204: Uploaded files have the permissions set to 600.

j0nathan’s picture

j0nathan commented
Version: 6.x-0.3 »
Status: Closed (fixed) » Active

Hi,
We have the issue with Debian and PHP 5.2.6.
More information to come...

adrian’s picture

adrian commented
Status: Active » Closed (fixed)

more information didn't come.

this was resolved by adding a umask() directive to the settings.php , so that all new files are created with the right perms.

Fixing existing sites with this problem is documented here :
http://groups.drupal.org/node/24854#fileperms