Silverstripe permissions for assets deployed on AWS - amazon-web-services

when uploading files in the admin backend of SilverStripe, I always get permission denied.
The apache2 is running under www-data:www-data (checked with "whoami" and in the envvars).
The permissions for the assets folder are the following:
drwxrwxr-x+ 5 git www-data 4.0K Oct 2 08:18 .
drwxrwsr-x+ 17 git users 4.0K Oct 2 09:53 ..
-rwxrwxr-x+ 1 git www-data 1.5K Oct 2 08:18 .htaccess
drwxrwsr-x+ 2 git www-data 4.0K Oct 2 07:28 Uploads
drwxrwsr-x+ 2 git www-data 4.0K Oct 2 08:18 _combinedfiles
drwxrwsr-x+ 2 git www-data 4.0K Oct 2 07:57 books
-rwxrwxr-x+ 1 git www-data 4.5K Oct 1 14:48 error-404.html
-rwxrwxr-x+ 1 git www-data 4.3K Oct 1 14:48 error-500.html
-rwxrwxr-x+ 1 git www-data 4.4K Oct 2 08:18 web.config
Even if I set them to 777, I still get permission denied. It works locally and I can't get my head around why it doesnt work.
Apache ErrorLog:
[Fri Oct 02 10:24:18.364138 2015] [:error] [pid 16008] [client 62.218.34.90:44300] PHP Warning: copy(/var/www/X/assets/books/Mike.png): failed to open stream: Permission denied in /var/www/X/framework/filesystem/Upload.php on line 195, referer: http://x.amazonaws.com/index.php/admin/assets/add/?ID=7
[Fri Oct 02 10:24:18.364615 2015] [:error] [pid 16008] [client 62.218.34.90:44300] PHP Warning: Requirements_Backend::process_combined_files(): Couldn't create '/var/www/X/assets/_combinedfiles//lib.js' in /var/www/X/framework/view/Requirements.php on line 1214, referer: http://x.amazonaws.com/index.php/admin/assets/add/?ID=7
Is this an AWS specific problem? Any clues?

The problem were ACLs.
Using getfacl ./assets/ I could determine, that the ACLs were set to undermine the normal permission model.
With setfacl I was able to advance the ACLs to include the webuser (www-data) into the assets directory with rwx.
Hope this helps someone,
Best regards. G

I would recommend you use a module and store the assets in S3
https://github.com/markguinn/silverstripe-cloudassets

Related

Google Cloud VM metadata-based keys ssh: handshake failed unable to authenticate and oslogin_cache_refresh: Failure getting groups, quitting

When trying to SSH to GCE VMs using metadata-based SSH keys I get the following error:
ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
While troubleshooting I can see the keys in the instance metadata, but they are not being added to the user's authorized_keys file:
$ curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh-keys"
username:ssh-ed25519 AAAAC3NzaC....omitted....
admin:ssh-ed25519 AAAAC3NzaC....omitted....
$ sudo ls -hal /home/**/.ssh/
/home/ubuntu/.ssh/:
total 8.0K
drwx------ 2 ubuntu ubuntu 4.0K Aug 11 23:19 .
drwxr-xr-x 3 ubuntu ubuntu 4.0K Aug 11 23:19 ..
-rw------- 1 ubuntu ubuntu 0 Aug 11 23:19 authorized_keys
# Only result is the default zero-length file for ubuntu user
I also see the following errors in the ssh server auth log and Google Guest Environment services:
$ sudo less /var/log/auth.log
Aug 11 23:28:59 test-vm sshd[2197]: Invalid user admin from 1.2.3.4 port 34570
Aug 11 23:28:59 test-vm sshd[2197]: Connection closed by invalid user admin 1.2.3.4 port 34570 [preauth]
$ sudo journalctl -u google-guest-agent.service
Aug 11 22:24:42 test-vm oslogin_cache_refresh[907]: Refreshing passwd entry cache
Aug 11 22:24:42 test-vm oslogin_cache_refresh[907]: Refreshing group entry cache
Aug 11 22:24:42 test-vm oslogin_cache_refresh[907]: Failure getting groups, quitting
Aug 11 22:24:42 test-vm oslogin_cache_refresh[907]: Failed to get groups, not updating group cache file, removing /etc/oslogin_group.cache.bak.
# or
Aug 11 23:19:37 test-vm GCEGuestAgent[766]: 2022-08-11T23:19:37.6541Z GCEGuestAgent Info: Creating user admin.
Aug 11 23:19:37 test-vm useradd[885]: failed adding user 'admin', data deleted
Aug 11 23:19:37 test-vm GCEGuestAgent[766]: 2022-08-11T23:19:37.6869Z GCEGuestAgent Error non_windows_accounts.go:144:
Error creating user: useradd: group admin exists - if you want to add this user to that group, use -g.
Currently the latest cloud-init and guest-oslogin packages for Ubuntu 20.04.4 LTS (focal) seem to have an issue that causes google-guest-agent.service to exit before completing its task. The issue was fixed and committed but not yet released for focal (and likely other Ubuntu versions).
For now you can try disabling OS Login by setting instance or project metadata enable-oslogin=FALSE. After which you should see the expected results and be able to SSH using those keys:
$ sudo journalctl -u google-guest-agent.service
Aug 11 23:10:33 test-vm GCEGuestAgent[761]: 2022-08-11T23:10:33.0517Z GCEGuestAgent Info: Created google sudoers file
Aug 11 23:10:33 test-vm GCEGuestAgent[761]: 2022-08-11T23:10:33.0522Z GCEGuestAgent Info: Creating user username.
Aug 11 23:10:33 test-vm useradd[881]: new group: name=username, GID=1002
Aug 11 23:10:33 test-vm useradd[881]: new user: name=username, UID=1001, GID=1002, home=/home/username, shell=/bin/bash, from=none
Aug 11 23:10:33 test-vm gpasswd[895]: user username added by root to group ubuntu
Aug 11 23:10:33 test-vm gpasswd[904]: user username added by root to group adm
Aug 11 23:10:33 test-vm gpasswd[983]: user username added by root to group google-sudoers
Aug 11 23:10:33 test-vm GCEGuestAgent[761]: 2022-08-11T23:10:33.7615Z GCEGuestAgent Info: Updating keys for user username.
$ sudo ls -hal /home/username/.ssh/
/home/username/.ssh/:
total 12K
drwx------ 2 username username 4.0K Aug 11 23:19 .
drwxr-xr-x 4 username username 4.0K Aug 11 23:35 ..
-rw------- 1 username username 589 Aug 11 23:19 authorized_keys
The admin user however will not work, since it conflicts with an existing linux group. You should pick a username that does not conflict with any of the name:x:123: names listed at getent group

Nginx 403 Forbidden on serving large images

I have setup a Django application, in which user can upload his image and it is served by Nginx and Gunicorn.
I have a problem with uploading large image files which does not get appropriate permissions to be served by Nginx
location /medias/images/ {
root /var/www/html;
}
When uploading files, the larger ones only get read permissions for the user, not for group/other:
-rw------- 1 user1 user1 4.9M Mar 15 14:35 File1.jpg
-rw------- 1 user1 user1 3.7M Mar 15 14:31 File2.jpg
-rw-r--r-- 1 user1 user1 110K Mar 15 14:44 File3.pdf
-rw-r--r-- 1 user1 user1 34K Mar 15 09:17 File4.docx
-rw-r--r-- 1 user1 user1 136K Mar 15 14:45 File5.jpg
-rw-r--r-- 1 user1 user1 92K Mar 15 14:22 File6.doc
-rw------- 1 user1 user1 4.4M Mar 15 14:25 File7.jpg
However the smaller images get their permissions fine and are served properly.
The point is that both uploading small and semi-large (3mb) image files are done by a same process.
Any ideas?
Set the FILE_UPLOAD_MAX_MEMORY_SIZE parameter in your Django settings, in Bytes.
For example FILE_UPLOAD_MAX_MEMORY_SIZE = 20971520 equals 20MB.

libmqic_r.so: cannot open shared object file: No such file or directory, python

I just created a VM vagrant with centos, installed python2.7 and pip using Miniconda, installed pymqi using pip, created a test python file to see if my pymqi installation is correct :
import pymqi
print "hello..."
but I got this :
[vagrant#localhost projects]$ python test.py
Traceback (most recent call last):
File "test.py", line 1, in <module>
import pymqi
File "/home/vagrant/miniconda2/lib/python2.7/site-packages/pymqi/__init__.py", line 109, in <module>
import pymqe, CMQC, CMQCFC, CMQXC
ImportError: libmqic_r.so: cannot open shared object file: No such file or directory
I looked for that file :
[vagrant#localhost projects]$ find /opt/mqm/ -name 'libmqic_r.so'
/opt/mqm/lib/compat/libmqic_r.so
/opt/mqm/lib/libmqic_r.so
/opt/mqm/lib64/compat/libmqic_r.so
/opt/mqm/lib64/libmqic_r.so
Thank you, your help is appreciated.
I found the solution :
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/mqm/lib64
As a general rule, using the LD_LIBRARY_PATH variable is a bad practice. You'd better just create the appropriate symlink to the 64bit version of the shared objects.
For fome reason, when you install the IBM MQSeries Client, only 32bit mq libraries are linked into /usr/lib/:
[root#host ~]# ll /usr/lib/libmq*
lrwxrwxrwx 1 root root 26 Jan 25 12:49 /usr/lib/libmqicb_r.so -> /opt/mqm/lib/libmqicb_r.so
lrwxrwxrwx 1 root root 24 Jan 25 12:49 /usr/lib/libmqicb.so -> /opt/mqm/lib/libmqicb.so
lrwxrwxrwx 1 root root 25 Jan 25 12:49 /usr/lib/libmqic_r.so -> /opt/mqm/lib/libmqic_r.so
lrwxrwxrwx 1 root root 23 Jan 25 12:49 /usr/lib/libmqic.so -> /opt/mqm/lib/libmqic.so
lrwxrwxrwx 1 root root 25 Jan 25 12:49 /usr/lib/libmqiz_r.so -> /opt/mqm/lib/libmqiz_r.so
lrwxrwxrwx 1 root root 23 Jan 25 12:49 /usr/lib/libmqiz.so -> /opt/mqm/lib/libmqiz.so
lrwxrwxrwx 1 root root 25 Jan 25 12:49 /usr/lib/libmqjx_r.so -> /opt/mqm/lib/libmqjx_r.so
lrwxrwxrwx 1 root root 26 Jan 25 12:49 /usr/lib/libmqmcs_r.so -> /opt/mqm/lib/libmqmcs_r.so
lrwxrwxrwx 1 root root 24 Jan 25 12:49 /usr/lib/libmqmcs.so -> /opt/mqm/lib/libmqmcs.so
lrwxrwxrwx 1 root root 25 Jan 25 12:49 /usr/lib/libmqmzse.so -> /opt/mqm/lib/libmqmzse.so
While 64bit libs are not:
[root#host ~]# ll /usr/lib64/libmq*
ls: /usr/lib64/libmq*: No such file or directory
You can fix by just executing
[root#host ~]# ln -s /opt/mqm/lib64/libmq* /usr/lib64/
Please check if you have installed MQSeriesClient or else .so files is not in LIB path

Regex that matches [number-n]-WORD but not [number]-WORD

I want to create a shell script, that iterates through folders and deletes folders that match [versionnumber-n] where n > 0
the version number is in a file that's content is like:
MAVEN_VERSION=1.2.7.0-SNAPSHOT
Here's an example:
The file listing is like
drwxrwxr-x 4 jenkins jenkins 4096 Jul 29 10:54 ./
drwxrwxr-x 20 jenkins jenkins 4096 Jul 4 09:20 ../
drwxr-xr-x 2 jenkins jenkins 4096 Jul 23 12:35 1.2.6.0-SNAPSHOT/
drwxr-xr-x 2 jenkins jenkins 4096 Jul 28 23:13 1.2.7.0-SNAPSHOT/
-rw-rw-r-- 1 jenkins jenkins 403 Jul 29 10:11 maven-metadata-local.xml
-rw-r--r-- 1 jenkins jenkins 403 Jul 28 23:13 maven-metadata-mtx-snapshots.xml
-rw-r--r-- 1 jenkins jenkins 40 Jul 28 23:13 maven-metadata-mtx-snapshots.xml.sha1
-rw-r--r-- 1 jenkins jenkins 403 Jul 28 23:13 maven-metadata.xml
-rw-r--r-- 1 jenkins jenkins 32 Jul 28 23:13 maven-metadata.xml.md5
-rw-r--r-- 1 jenkins jenkins 40 Jul 28 23:13 maven-metadata.xml.sha1
-rw-r--r-- 1 jenkins jenkins 186 Jul 28 23:13 resolver-status.properties
Where I want the script to delete the folder 1.2.6.0-SNAPSHOT/ but not 1.2.7.0-SNAPSHOT/. If there where folders like 1.2.5.0-SNAPSHOT/ 1.2.4.0-SNAPSHOT/ them too.
What I have at this point:
.*(?!1.2.7.0)(-SNAPSHOT)
Which unfortunately matches both folders (in the example above)
edit: just hit submit too early ...
With Bash you can just use negation with extended pathname expansion.
shopt -s extglob
rm -fr /dir/1.2.!(7).0-SNAPSHOT
Dry run example:
$ ls -1
1.2.10.0-SNAPSHOT
1.2.5.0-SNAPSHOT
1.2.6.0-SNAPSHOT
1.2.7.0-SNAPSHOT
a
$ echo rm -fr 1.2.!(7).0-SNAPSHOT
rm -fr 1.2.10.0-SNAPSHOT 1.2.5.0-SNAPSHOT 1.2.6.0-SNAPSHOT
See Extended Pattern Matching and Filename Expansion.
How I did it in the end:
if [ -z "$MAVEN_VERSION_SERVER" ]
then
echo "\$MAVEN_VERSION_SERVER NOT set! \n exiting ..."
else
find /var/lib/jenkins/.m2/repository/de/db/mtxbes -mindepth 1 -type d -regex '.*SNAPSHOT' -not -name $MAVEN_VERSION_SERVER | xargs -d '\n' rm -fr
fi
(the $MAVEN_VERSION_SERVER gets set and read with groovy scripts before)

smarty template compile directory not writable

i'm using the latest version of smarty (3.0rc3).
i made my templates_c directory writable in command line (chmod -R 777 templates_c) but smarty still outputs this when i call $smart->utility->testInstall();
Testing compile directory...
FAILED: ./php/classes/smarty/templates_c/ is not writable.
Warning: rename(/tmp/wrtub1GxS,./php/classes/smarty/templates_c
and this when i use smarty
/73e0ecf25f1c14182b8af5906bb8e9afa33b2b07.file.main.html.php):
Permission denied in /var/www/html/dev/dynamic/php/classes/smarty/sysplugins/smarty_internal_write_file.php on line 41
Warning: chmod(): No such file or directory
in /var/www/html/dev/dynamic/php/classes/smarty/sysplugins/smarty_internal_write_file.php
here is my ls -al output
drwxrwxrwx. 8 cove cove 4096 Aug 31 15:53 .
drwxrwxr-x. 5 cove cove 4096 Aug 31 15:24 ..
drwxrwxrwx. 2 cove cove 4096 Aug 31 15:36 cache
drwxrwxrwx. 2 cove cove 4096 Aug 31 15:39 configs
-rwxrwxrwx. 1 cove cove 2810 Aug 31 15:22 debug.tpl
drwxrwxrwx. 2 cove cove 4096 Jul 15 01:09 plugins
-rwxrwxrwx. 1 cove cove 27135 Aug 31 15:45 Smarty.class.php
drwxrwxrwx. 2 cove cove 4096 Jul 15 01:09 sysplugins
drwxrwxrwx. 2 cove cove 4096 Aug 31 15:36 templates
drwxrwxrwx. 2 nobody nobody 4096 Aug 31 15:53 templates_c
i'm working on fedora 13. can someone please help me.
thank you in advance
this is the solution in my case:
deactivate selinux
in terminal type system-config-selinux
good luck