File Upload Permissions and File Creation Mask issues

[cnymike]

By default my File Creation Mask was set to 022

With the setting of 022, thumbnails are being created with permission set to 640 which prevents them from being viewed.

when I change the File Creation Mask to 002, thumbnails are generated with permissions of 664

What do I set the File Creation Mask to if I want thumbnails to have permissions of 644?

Isn't 644 what you'd want the permissions to be for the thumbnails anyway?

UPDATE: I've become even more perplexed about this issue but think it has something to do with the fact that I'm using php-cgiwrap on my shared server thus I do not think that the File Creation Mask is having the desired effect that I would expect.

For instance I changed the setting back to 022, then went into image manager and created a new folder. It was created with permissions of 751.

751? what the heck is that?

I then went and changed the FCM to 002. Created a new folder in the image manager and it had permissions of 775.

If someone could explain to me what the heck is going on, I'd appreciate it.

[cnymike]

I'e just conducted a series of tests with File Creation Mask.

Here are the results I get with various File Creation Mask settings...

File Creation Mask      Permissions of resulting thumbnail
        000            =                  666
        002            =                  664
        022            =                  640

If I understand how this is -supposed- to work, you're supposed to take the standard permissions of 666 and essentially subtract the mask number to give you what the file permissions will be. So 666 - 000=666, 666 - 002=664, and 666 - 022=644

Am I correct about how it 'should' work?

For me, a setting of 022 results in a file permission of 640, which is not consistent with expectations. I would expect it to be 644

UPDATE: I just saw a thread that suggested leaving unmask blank, so I did and the resulting file permission was 644. What can explain this? Shouldn't it have been 666?

Maybe I'm way off on this so i hope someone can clear up the confusion.

I've found a couple links that tries to explain unmask, but it's mostly gibberish to me...

http://en.wikipedia.org/wiki/Umask
http://www.openbsd.org/cgi-bin/man.cgi? ... &sektion=2
http://www.gnu.org/software/libc/manual ... sions.html

[calguy1000]

Well, the required setting of the file creation mask (umask) will depend on:
a) the uid that your web server process runs as
b) the uid that you use to upload files
      and the respective membership groups.

In the simplest sense the unix permissions look like this (in binary)

Code: Select all

xxx xxx xxx
          *- execute bit for other users
         *-- write bit for other users
        *--- read bit for other users
      *-execute bit for the group
     *-- write bit for the group
    *--- read bit for the group
  *- execute bit for the owner
 *-- write bit for the owner
*--- read bit for the owner

So, a permission of 111 101 100 would mean that the file owner has permission to read, write and execute the file, members of the same group (not the owners group, but the file's group) have permission to read and execute, while other users just have read permission.  This would normally be expressed in octal as 754

The umask is used to control what the permissions of newly created files (and directories) are.  It is expressed in octal, and is usually exclusive orred with 777 to determine the file permissions.  However, files are not usually given the execute bit, so therefore consider that files (not directories) are logically anded with 111

i.e:  File Test:

Code: Select all

    777 xor (022 && 111) == 644
    111 111 111
xor 001 011 011
 =  111 100 100

i.e: Directory Test:

Code: Select all

    777 xor 022 == 755
    111 111 111
xor 000 010 010
  = 111 101 101

Here's a history of what I did in unix to reproduce this test

Code: Select all

robl@ws:/tmp$ umask
0022
robl@ws:/tmp$ touch test.1
robl@ws:/tmp$ ls -l test.1
-rw-r--r-- 1 robl robl 0 2007-06-13 20:02 test.1
robl@ws:/tmp$ mkdir test.2
robl@ws:/tmp$ ls -ld test.2
drwxr-xr-x 2 robl robl 4096 2007-06-13 20:02 test.2

[cnymike]

Calguy, I appreciate your reply and I wish I could say, "Ah, now I get it". But I'm just as lost as before.

Are the results I got consistent with what you were describing?

Is it logical that I would want a permission of 644 for thumbnail creation? And if so, how do I set the mask to achieve this result?

My brain just isn't wired in a way that enables me to comprehend this logic stuff very well.

In my tests, here is what I got...
File Creation Mask      Permissions of resulting thumbnail
        000            =                  666
        002            =                  664
        022            =                  640
You stated...

Code: Select all

    777 xor (022 && 111) == 644
    111 111 111
xor 001 011 011
 =  111 100 100

So in my test, mask 022 results in 640 files and in your test mask 022 results in 644 files. So why the difference? Is it because in my case my server is running php-cgiwrap which lets scripts execute under myown userid and group instead of user nobody and group www? Or does that have nothing to do with it at all?

Bottom line is that I need to have my files created with permissions of 644 (I think) and I can't figure out how to set up the file mask to do that.

Michael

[calguy1000]

try setting your file creation mask to  '0022'
and see what happens.

[cnymike]

For me, it creates a file with 640 permissions and a folder with 751 permissions.

[cnymike]

Is anyone using CMSMS with php-cgiwrap?

Using the unmask setting of 022 results in files of 640 and directories of 751
Using the unmask setting of 002 results in fles of 664 and directories of 775

Are either of these preferable from a "safety" point of view? Is the unmask not working as expected because of php-cgiwrap interacting in some way with the CMS's ability to set the permissions?

does anyone have any thoughts on this?

Is it possible that the unmask functionality in CMSMS is not working as expected when the CMS is run on a server with php-cgiwrap in place?

Having been hacked before, I am particularly  nervous about my files and directories have correct permissions. I see that all .doc file that have been uploaded through file manager have permissions of 777 and I see lots of directories with 777 permissions as well. this doesn't seem right or safe to me. Can anyone provide some thoughts on this?

[cnymike]

I've just gotten a reply from my webhost pair.com and this is what they said...

You should be able to get things working properly with the umask setting of
0022.  this should set the permissions on your folders to 755, and your
files to 644.  You can take the group permissions away entirely by using
0072.  This will prevent access by any other account residing on your
server.  I would recommend visiting the PHP manual on umask, which is
located at:

  http://us.php.net/umask 

Unfortunately, further discussion on this topic goes beyond the scope of
our direct support.

Well that's not what happens. With an unmask setting of 0022, files are given 640 and folders are given 751 permissions.

Could there be a problem with the unmask functionality in CMSMS when used with php-cgiwrap?

Any developers have any thoughts on this?

[cnymike]

I think it would be best if you started a new threadd for your problems. Hijacking an existing thread muddles the water.

[calguy1000]

the default umask is a server and user dependant issue, which is why the test function is there.

It depends on how you use your site, how you update it, what you want the permissions to be, and... the phase of the moon.

[cyberman]

Any developers have any thoughts on this?

I'm not a dev but another user in german board found a solution for a problem like this - try an empty umask field and files will get permission from config.php ...

[Ned Nowotny]

The problem is with the use of the "$global_umask" site preference when setting the umask.  A description of the problem and a fix are described in the bug report:

    [#1653] Calls to umask are incorrect and result in incorrect file permissions.

After applying the fix, my thumbnail images are now generated with the correct file permissions and are now properly displayed in the Image Manager.

[cnymike]

Ned, finally someone has solved this mystery! thank you so much. Now my permissions are correct and I'm one happy camper.

[calguy1000]

the fix is committed to svn and will be out with 1.1.1

[cnymike]

With the advent of v1.2, I am now having file upload permissions issues again.

First, my umask is set to 022, and when I test it, I get...
Owner: cnymike
Permissions:
  Owner: Read,Write
  Group: Read
  Other: Read

This is what it's supposed to be right?

But when I go to file manager and upload a file, it is given permissions of 600

This isn't what's supposed to happen.

I've also checked my config.php file and see that the Upload settings are...
$config['default_upload_permission'] = '664';

So the question is, why are uploaded files given permissions of 600 ?

I then have to ftp in and manually change permissions.

Michael