Permission Error Uploading to a directory created with CKFinder

[Strata-g Tech]

We have purchased CKFinder for are site but we are having a problem when users create new directories using CKFinder. Once they create the directory they don't have the correct permissions to upload files to the directory. The site is running a virtaul hosting server that uses the Plesk adminstration console. When I checked the owner for the directory created with CKFinder the user and group are set to apache:apache. When looking at the other directories the owner and group are set to reach:psadn. When I chown the directory created by through CKFinder to reach:pasdn I can then upload to the directory fine. I'm guessing that Plesk doesn't use the standard apache user becuase of how it is managing virtual host. I do need someway to allow users to create directories that they can upload to with out having to manually go in and change the ownership of the directory.

[Wiktor Walc]

I guess that this error is probably caused by safe_mode enabled on the server.

If that is the problem, since safe mode was removed in PHP 6.0.0, I suggest disabling it (in php.ini) also in PHP 4/5.

[Alfonso Martínez de Lizarrondo]

I don't know enough about PHP, so I just ask this: Doesn't it exist some function in PHP to impersonate (given the proper credentials) another user?

So if the user sets in the configuration a user/pass in the configuration, then whenever a directory is created do it impersonating that user so the directory gets the proper permission.

Or as I asked in the forums, is it possible to detect if safe_mode is enabled and then knowing that the created directories won't be useful refuse to create it returning an specific error?

[Wiktor Walc]

I think that safe_mode is just generally wrong.

Fortunately developers realised that and removed that evil along with magic_quotes in PHP6.

We can detect whether safe_mode is enabled to display error message, probably this is a good idea. It could be configurable to remove that error message, for eample if someone can't disable safe_mode for some reasons.

It's not possible to change permissions of created folders... because you can't access it (yes, this is how smart it is).

[Alfonso Martínez de Lizarrondo]

I wouldn't make the message configurable. If the folders won't be usable then it's better to don't create them at all from my point of view.

And the impersonation would work this way:

1. call to create folder
2. there is a user/pass in the config file
3. the system does login as that user
4. now the folder is created with those permissions
5. logout of the user, and exit from the call.

Does it exists something like this in PHP (point 3)?

[Wiktor Walc]

AFAIK it is impossible (3-5).

Safe mode is simply incorrect, but because it is called "safe" it is turned on by many administrators: ​http://pl2.php.net/features.safe-mode

I think we could display error message while creating folders that directory cannot be created due to wrong server configuration.

Regarding steps 3-5: Apache can be configured to do steps 3-5 automatically with suExec wrapper. But this cannot be done in PHP script.

[Strata-g Tech]

Turning off safe mode fixed the issue. Thank you for the response. It might be nice to have a config option to specify the user and group on new folders and files. With safe mode off I can still upload through CKFinder but I can not modify files with the FTP account that have been uploaded via CKFinder.

[Alfonso Martínez de Lizarrondo]

Replying to wwalc:

AFAIK it is impossible (3-5).

Safe mode is simply incorrect, but because it is called "safe" it is turned on by many administrators: ​http://pl2.php.net/features.safe-mode

I think we could display error message while creating folders that directory cannot be created due to wrong server configuration.

Regarding steps 3-5: Apache can be configured to do steps 3-5 automatically with suExec wrapper. But this cannot be done in PHP script.

So another crazy idea:
Set up the connector so it creates the folders through a ftp account.

I know that there was a feature request to make all the connector operations with a ftp account, and maybe this could be a good idea if it isn't possible to disable safe_mode in some servers.

Is this feasible?

[Wojciech Olchawa]

Hi

We handle CKFinder tickets in a separated system. We have taken note of this problem and we'll be working on it for future versions.

Thanks!