Skip to main content

Correct CMOD settings for smarty3, subfolders and their users
Hi there @Friendica Support ,
this question is related to this help request:
frio theme - Service Unavailable
https://tupambae.org/display/0ac89072-9165-5e71-7f9f-916750014598

I had a look at the smarty CHMOD settings and found the following:

drwxrwxr-x 3 www-data www-data 4096 Nov 8 20:23 smarty3
If I'm not wrong that's CMOD 775 (rwx|rwx|r-x) (?)

In the installation process the commands to create the smarty folders were:
www-data@VPShosting:~/html$ mkdir -p view/smarty3
www-data@VPShosting:~/html$ chmod 775 view/smarty3
see:
https://squeet.me/display/962c3e10-1565-2eab-e611-2a9750230278
https://tupambae.org/display/0ac89072-2065-5da2-9124-8b5839853793
--
I looked into the subfolders and found:

rootname@VPShosting:/var/www/html/view/smarty3# ls -l
drwxr-xr-x 222 www-data www-data 4096 Nov 25 17:20 compiled => CMOD 755 (rwx|r-x|r-x) (?)
--
The folder "compiled" has a long list of sub-folders apparently each having 2 more steps of sub-folders.

rootname@VPShosting:/var/www/html/view/smarty3/compiled# ls -l
total 880

I found two types of folders, some few created on different dates strangely belonging to the user root instead of www-data, here two examples and how those two types of subfolders look like.
I guess the folders owned by root are wrong?
--------------------
drwxr-xr-x 3 root root 4096 Nov 12 04:35 00
-
rootname@VPShosting:/var/www/html/view/smarty3/compiled/00# ls -l
drwxr-xr-x 3 root root 4096 Nov 12 04:35 d4 => CMOD 755 (rwx|r-x|r-x) (?)

rootname@VPShosting:/var/www/html/view/smarty3/compiled/00/d4# ls -l
drwxr-xr-x 2 root root 4096 Nov 12 04:35 ec => CMOD 755 (rwx|r-x|r-x) (?)

rootname@VPShosting:/var/www/html/view/smarty3/compiled/00/d4/ec# ls -l
-rw-r--r-- 1 root root 675 Nov 12 04:35 00d4eca105abd94437094f3d4409477acb55526a_2.string.php => CMOD 644 (rw-|r--|r--) (?)
--------------------
drwxr-xr-x 3 www-data www-data 4096 Nov 22 20:25 01
-
rootname@VPShosting:/var/www/html/view/smarty3/compiled/01# ls -l
drwxr-xr-x 3 www-data www-data 4096 Nov 22 20:25 97 => CMOD 755 (rwx|r-x|r-x) (?)

rootname@VPShosting:/var/www/html/view/smarty3/compiled/01/97# ls -l
drwxr-xr-x 2 www-data www-data 4096 Nov 22 20:25 f2 => CMOD 755 (rwx|r-x|r-x) (?)

rootname@VPShosting:/var/www/html/view/smarty3/compiled/01/97/f2# ls -l
-rw-r--r-- 1 www-data www-data 6140 Nov 22 20:25 0197f2d4b23957a898d38870d6c6a3775da487ff_2.file.group_side.tpl.php => CMOD 644 (rw-|r--|r--) (?)

Tutorial

2023-11-22 21:24:15


frio theme - Service Unavailable


Hi there @Friendica Support
just changed on this profile to FRIO as VIER seems to basically not perform the basic functions.

When I try to go to the settings page I get a "Service Unavailable" page.

What should I do?

friendica 2023.05 - firefox



utopiArte
Just checked all the 13 of 220 folders that were created as belonging to user and group root and that I consider shouldn't exist as owned by root i the folder /smarty3.

In general terms speaking I couldn't find a common property.

They refer to posts or replies by three different users.

Most refer to one specific post.

Two create a page:
Not Found
The requested item doesn't exist or has been deleted.
Request: XYZ

All were created with the theme VIER.
utopiArte
New error message (of FRIO) about a folder created by the user root.

I haven't found the extensive conversation about this problem with @Hypolite Petovan yet but I'm quite sure that I changed all folders to ownership of user www-data before 28th of November of the smarty folder. Actually there was another conversation about ownership of folders and I changed all folders to be owned by root except storage and view that day on 02:45hs, the new folder owned by root at /view/smarty3/compiled/ like stated below was created on 3:50hs.

As for what I remember of all the conversations this shouldn't have happened.


Service Unavailable
unable to create directory /var/www/html/view/smarty3/compiled/7c/ea/e6Exception thrown in /var/www/html/src/Core/Renderer.php:90
Stack trace:
#0 /var/www/html/mod/photos.php(902): Friendica\Core\Renderer::replaceMacros()
#1 /var/www/html/src/LegacyModule.php(96): photos_content()
#2 /var/www/html/src/LegacyModule.php(73): Friendica\LegacyModule->runModuleFunction()
#3 /var/www/html/src/BaseModule.php(244): Friendica\LegacyModule->content()
#4 /var/www/html/src/App.php(703): Friendica\BaseModule->run()
#5 /var/www/html/index.php(52): Friendica\App->runFrontend()
#6 {main}


Console research resultrootname@VPShosting:/var/www/html/view/smarty3/compiled# ls -l
..
drwxr-xr-x 5 www-data www-data 4096 Dec 6 00:40 7b
drwxr-xr-x 3 root root 4096 Nov 28 03:50 7c
drwxr-xr-x 3 www-data www-data 4096 Nov 28 02:45 7d
..
-----------------
rootname@VPShosting:/var/www/html/view/smarty3/compiled# cd 7c
rootname@VPShosting:/var/www/html/view/smarty3/compiled/7c# ls -l
total 4
drwxr-xr-x 3 root root 4096 Nov 28 03:50 d2
rootname@VPShosting:/var/www/html/view/smarty3/compiled/7c# cd d2
rootname@VPShosting:/var/www/html/view/smarty3/compiled/7c/d2# ls -l
total 4
drwxr-xr-x 2 root root 4096 Nov 28 03:50 69
rootname@VPShosting:/var/www/html/view/smarty3/compiled/7c/d2# cd 69
rootname@VPShosting:/var/www/html/view/smarty3/compiled/7c/d2/69# ls -l
total 4
-rw-r--r-- 1 root root 710 Nov 28 03:50 7cd2693513597460a71347ba02d3179c5e5ab822_2.string.php
nano 7cd2693513597460a71347ba02d3179c5e5ab822_2.string.php
<?php
/* Smarty version 4.3.1, created on 2023-11-28 03:50:02
  from '7cd2693513597460a71347ba02d3179c5e5ab822' */
/* @var Smarty_Internal_Template $_smarty_tpl */
if ($_smarty_tpl->_decodeProperties($_smarty_tpl, array (
  'version' => '4.3.1',
  'unifunc' => 'content_6565636a645732_50647552',
  'has_nocache_code' => false,
  'file_dependency' => 
  array (
  ),
  'includes' => 
  array (
  ),
),false)) {
function content_6565636a645732_50647552 (Smarty_Internal_Template $_smarty_tpl) {
?>[url=https://tupambae.org/profile/utopiarte]utopiArte[/url] replied to you on [url=https://tupambae.org/display/0ac89072-1065-6562-6405-8bb240314547]"bugreport - can't answer, like or reshare posts"[/url]<?p>
#1 #2 #4 #3 #5 #6
Hypolite Petovan
@utopiArte @TupambAdmin [stable] Are you by any chance running your Friendica cron jobs as root? It should run as www-data. Same question if you're using the daemon.
utopiArte
Not using daemon but CRON.

I guess that is running as root ..
utopiArte
@Hypolite Petovan

So this is a "tricky" one for me as I have no idea what or how to do this.
In the helpers page:
https://tupambae.org/help/Install#cron+job+for+worker
it only states:

helpers page wrote:

cron job for worker
If you are using a Linux server, run "crontab -e" and add a line like the one shown, substituting for your unique paths and settings:


I did my installation with the help of @hankg's tutorial:
https://www.nequalsonelifestyle.com/2022/07/30/creating-friendica-server-ubuntu/#creating-workers

ubuntu install tutorial wrote:

First log into the server through SSH using your root@<domain> user. Then execute the crontab edit command:
sudo crontab -e



How do I set this so "It should run as www-data."
??
Hypolite Petovan
@utopiArte Prepend the php command with su -u friendica and the command will be ran as www-data.
utopiArte
Something like this?

# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
*/5 * * * * cd /var/www/html; su -u friendica /usr/bin/php bin/worker.php
Hypolite Petovan
@utopiArte Looks good to me, you should run it once as root to make sure it doesn't fail horribly.
utopiArte
As off now it was running like this:
*/5 * * * * cd /var/www/html; /usr/bin/php bin/worker.php

Your suggestion:
php command with su -u friendica
*/5 * * * * cd /var/www/html; su -u friendica /usr/bin/php bin/worker.php

What we didn't actually clarified is what friendica stands for.
Like to say, is it a "place holder", a variable for a user or application name?
Is "friendica" defined as such in worker.php?
Or would it actually be www-data?
Hypolite Petovan
@utopiArte Sorry, friendica is the name of my local node web server user. You should be writing www-data instead.
Nanook
@Hypolite Petovan @utopiArte In my case, php software runs with the owners id of that software, so that every application runs with it's own id, this is much more secure than the www-data for everything scheme because in that scheme one application can write over all others or even itself, not good. This way a flaw in an application can only result in damage to that application.
utopiArte
learning question:
(some maybe "notes to myself to investigate")

When is that php software setting actually done?

I'm still working on that friendica for ubuntu VPS installation tutorial and at the same time (of course) starting to wonder about adding more sites, friendica or maybe other site software to the server I'm testing around with and actually just started to wonder how to separate for example two friendica instances to not use two times www-data for example. Like to get as differentiated permission and access settings as possible.

In the case of DB user and DB's themselfs that's more than obvious, but how when or where does the (in this case) www-data setting take place?

When pulling from github into the prepared (in this case) /html folder?
Or the subsequent bin/composer.phar install --no-dev step?

What happens if I try now to create a folder tree for several domains/subdomains and move/rename the existing /html folder?
There are some references in the admin panel for paths, that's kinda easy to find and change but are there more settings in the LAMP-Installation to have an eye on?

Why is it that the cron setting is the only one that doesn't have a path like the other files to edit with nano for example?
utopiArte
Well, this;
*/5 * * * * cd /var/www/html; su -u www-data /usr/bin/php bin/worker.php
.. didn't work out.

Looks like cron job didn't execute at all.

The last worker execution was on 2023-12-22 16:25:28 UTC. This is older than one hour. Please check your crontab settings.
utopiArte
Here is the previous conversation about this where I described when and how I changed the access settings of the installation and folders.

utopiArte

2023-11-27 16:44:52


Implications of access by the user www-data to all friendica folders


@Friendica Support

Hi there,
the friendica helpers page describes the installation process of friendica as follows:

/help/Install: wrote:

The Linux commands to clone the repository into a directory "mywebsite" would be

git clone https://github.com/friendica/friendica.git -b stable mywebsite
cd mywebsite

bin/composer.phar install --no-dev

Make sure the folder view/smarty3 exists and is writable by the webserver user, in this case www-data

mkdir -p view/smarty3
chown www-data:www-data view/smarty3
chmod 775 view/smarty3


Get the addons by going into your website folder.

cd mywebsite

Clone the addon repository (separately):

git clone https://github.com/friendica/friendica-addons.git -b stable addon



askubuntu.com: wrote:

What is the www-data user?
https://askubuntu.com/questions/873839/what-is-the-www-data-user
The web server has to be run under a specific user. That user must exist.

If it were run under root, then all the files would have to be accessible by root and the user would need to be root to access the files. With root being the owner, a compromised web server would have access to your entire system. By specifying a specific ID a compromised web server would only have full access to its files and not the entire server.


I guess this observation goes both ways, a compromised friendica instalation get's access to all the friendica folders if I choose to first create/activate the www-data user, than create the friendica installation folder structure, than git clone friendica, than create the smarty3 folder and ultimately do the git clone of the addon folder as described here:
https://tupambae.org/display/0ac89072-2065-5da2-9124-8b5839853793
The order in which the creation of www-data related folders in the above case is described makes all folders and files in the friendica directory belong to www-data.
In the friendica help description first comes the git-clone, than the the smarty3 folder part than the addon git-clone. Actually I guess that last part would make the addon folder belong to www-data too if I run one command after another. Is that intended?

I wonder if this could have some kind of security implications.
I guess www-data is somehow the friendica site and has permissions to do "what ever it wants" (-> "writable by the webserver user") with all the folders in the friendica directories if it's the owner of them.


@TupambAdmin [stable]

utopiArte
:(
f***, just pulled the whole link into this

😞