John Mertic, selfmade64856,
Originally Posted by selfmade64856
I dug into this permissions bug, in the code, on the forum, on the web, in the official Sugar docs, and in the Sugar KB.
So far, this is what I've uncovered, including reasons why it works like that.
I'm close to having a solution... almost.
There's a setting in config.php (this holds all the basic configuration data for your Sugar instance, and is located in the root of your Sugar install).
This setting controls the default permissions AND ownership, that Sugar will use when creating folders and files (such as the cache files - which Sugar's constantly creating - as it should).
The part of Sugar's config.php that we have to modify, looks like this, out of the box, on a fresh Sugar 6.3 instance, on a shared linux (RHEL/CentOS 5) server:
As you can clearly see, out of the box Sugar is setting files and folders like so:
'dir_mode' => 1528,
'file_mode' => 432,
'user' => '',
'group' => '',
a) Directory permissions to 1528 decimal, or octal 02770, or rwxrws---.
b) File permissions of 432 decimal, or octal 0660, or rw-rw----.
c) GUID on,
d) User owner and Group owner to nothing.
(A link to a good explanation of the general meaning of linux permissions and ownership, if you're scratching your head wondering what on earth this is:
Linux permissions )
The reason Sugar's defaults are no good for linux shared hosts, is because, for high security reasons:
1) the username that the apache process runs under (apache, www-data, www, or nobody) is a different username from your shared hosting account username, and
2) this "apache user" MAY belong to a different GROUP than your actual shared hosting account user's GROUP.
While you use Sugar, browse/create/update records, go from page to page, Sugar constantly generates cache files - stores them in the cache folder, and creates other files, storing them elsewhere in the folders under your Sugar instance's document root.
For example - when you upload your custom company logo, during the Sugar install - it saves your GIF on the linux shared host's filesystem, in an uploads folder somewhere under the Sugar document root.
This file has the wrong permissions and ownership, so apache cannot serve it to your browser!
When Sugar goes to show you your logo on the next screen, in place of the log is a big empty box with the symbol for "broken link" showing instead of the image. (!!!)
Same, very serious, problem for business Documents that you upload to Sugar, to associate with Sugar Accounts and Opportunities.
The uploaded Documents get saved with the wrong default permissions, and are inaccessible by your browser - at least until the permissions are fixed somehow !!
But fixing the permissions like this, even with a cron job script, is a less than ideal workaround:
a) because you can't be running the script ever minute - that's a crazy waste of disk IO - and
b) you're usually going to want to use your uploaded file within seconds, not up to a minute later..
I haven't completed the analysis of this - as of this moment - let alone gotten the full solution to it.
My script fix-permissions.php (attached below - to run it, put it in the root of your sugar instance and run it by entering the URL to the script in your browser) fixes this temporarily by recursively setting all directories to 755 (rwxr-xr-x) and all files to 644 (rw-r--r--). These are popular, standard, middle of the road, security permissions, that work reliably well on a public facing website hosted on centos linux.
More to come...