Can't download uploaded files after upgrade

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Can't download uploaded files after upgrade

Perkins, Bradley D
When we moved our 4D v11 system to v14 I had to change the location of our Active4D files.
Active4D runs on a client (4D Remote) on Mac OS 10.9.5 (was 10.6.8)

Old location of Active4D file uploads
/Library/Application Support/4D/com.aparajita/Active4D/web/uploads

New  location of Active4D file uploads. We had to move them to the user that runs 4D's folder.
/Users/webclient/Library/Application Support/4D/com.aparajita/Active4D/web/uploads

Apache has always served the uploaded files. In our web root we have a docs folder

<webroot>/docs/

That folder has a symbolic link


srts -> /Users/webclient/Library/Application Support/4D/com.aparajita/Active4D/web/uploads/

A link to an uploaded file might look like this:

https://www.mysite.com/docs/srts/253294/6534/testfile.txt

When trying to access that file I get this error:

Forbidden
You don't have permission to access /docs/srts/253294/6534/testfile.txt on this server.

Apache is configured to FollowSymlinks. However, my Apache logs show the following errors:

Symbolic link not allowed or link target not accessible: /Library/WebServer/Documents/TWP/docs/srts

I obviously have a permissions problem. I've spent hours trying to fix it but obviously haven't gotten the write combination.

I've even tried giving all permissions to user, group and other to the uploads folder.

If anyone has encountered this problem can you provide any tips?

Thanks,

Brad Perkins

_______________________________________________
Active4D-dev mailing list
[hidden email]
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/
Reply | Threaded
Open this post in threaded view
|

Re: Can't download uploaded files after upgrade

aparajita
Administrator
> When trying to access that file I get this error:
>
> Forbidden
> You don't have permission to access /docs/srts/253294/6534/testfile.txt on this server.

You have to configure apache to allow access to the target directory of a symlink (or parent thereof), in this case probably /docs/srts.

Regards,

  Aparajita

_______________________________________________
Active4D-dev mailing list
[hidden email]
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/
Reply | Threaded
Open this post in threaded view
|

Re: Can't download uploaded files after upgrade

Perkins, Bradley D
On 10/27/14 9:48 AM, "Aparajita Fishman" <[hidden email]>
wrote:

>> When trying to access that file I get this error:
>>
>> Forbidden
>> You don't have permission to access /docs/srts/253294/6534/testfile.txt
>>on this server.
>
>You have to configure apache to allow access to the target directory of a
>symlink (or parent thereof), in this case probably /docs/srts.

On the old system we did this on the parent directory and it worked fine.
My understanding is that a Directory directive applies to all
subdirectories below it.

The new system is configured the same way.

I've tried what I think you are suggesting e.g.,

<Directory /Library/WebServer/Documents/TWP/docs/srts >
    Options FollowSymLinks
    AllowOverride None
    </Directory>


But no joyŠ

I really don't want to make a major change to the A4D system but I'm
wondering if I should ditch the symbolic links and have Active4D copy
uploads to folder under the Apache web root. I've never done that. Does it
involve setting "safe doc dirs"?

Thanks,

-- Brad

_______________________________________________
Active4D-dev mailing list
[hidden email]
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/
Reply | Threaded
Open this post in threaded view
|

Re: Can't download uploaded files after upgrade

aparajita
Administrator
> I've tried what I think you are suggesting e.g.,
>
> <Directory /Library/WebServer/Documents/TWP/docs/srts >
>    Options FollowSymLinks
>    AllowOverride None
>    </Directory>


Do you have an entry for the target of the symlink, i.e. /Users/webclient/Library/Application Support/4D/com.aparajita/Active4D/web/uploads?

Regards,

  Aparajita

_______________________________________________
Active4D-dev mailing list
[hidden email]
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/
Reply | Threaded
Open this post in threaded view
|

Re: Can't download uploaded files after upgrade

Perkins, Bradley D
If you mean a <Directory "/Users/webclient/Library/Application
Support/4D/com.aparajita/Active4D/web/uploads  in my Apache config files I
don't.

I added that and restarted Apache. Documents are still Forbidden.

/Library/WebServer/Documents/TWP/docs has a symlink to
/Users/webclient/Library/Application
Support/4D/com.aparajita/Active4D/web/uploads

In looking at my the old server configuration files https.conf simply has
this:

## First, we configure the "default" to be a very restrictive set of
## features.  
##
<Directory "/">
  Options FollowSymLinks
  AllowOverride None
</Directory>

The site specific virtual host configuration files have e.g. this:

<Directory "/Library/WebServer/Documents/TWP">
  <IfModule mod_dav.c>
    DAV Off
  </IfModule>
  Options All +MultiViews -ExecCGI -Indexes -Includes
  AllowOverride None
        </Directory>

I never explicitly specified settings for docs/srts/ or paths to Active4D
files.


The only thing that is really different is that for V11 I was able to put
my Active4D files in
/Library/Application Support/4D/com.aparajita

With v14 and A4D 6.1 I had to put them in
/Users/webclient/Library/Application Support/4D/com.aparajita

I'm thinking that Apache was able to deal with A4D files in the system
root path, but not buried in a /User/... Path.

I've done a lot of reading on this and I suspect that Apache requires
execute access to all folders in the path in order to serve files. Without
this, you'll get a HTTP 403 (forbidden).

That would mean I would need to give Apache execute access to
/Users/
/Users/webclient/

/Users/webclient/Library/

/Users/webclient/Library/Application Support/

/Users/webclient/Library/Application Support/4D/

/Users/webclient/Library/Application Support/4D/com.aparajita/

/Users/webclient/Library/Application Support/4D/com.aparajita/Active4D/

/Users/webclient/Library/Application Support/4D/com.aparajita/Active4D/web/

/Users/webclient/Library/Application
Support/4D/com.aparajita/Active4D/web/uploads/

Setting the user or group to _www for most of those seems like a bad idea.
I have to admit that I don't know how set that explicitly for the _www
user with chmod. I expect this involves using ACLs.

Thanks,


Brad



On 10/27/14 10:30 AM, "Aparajita Fishman" <[hidden email]>
wrote:

>> I've tried what I think you are suggesting e.g.,
>>
>> <Directory /Library/WebServer/Documents/TWP/docs/srts >
>>    Options FollowSymLinks
>>    AllowOverride None
>>    </Directory>
>
>
>Do you have an entry for the target of the symlink, i.e.
>/Users/webclient/Library/Application
>Support/4D/com.aparajita/Active4D/web/uploads?
>
>Regards,
>
>  Aparajita
>
>_______________________________________________
>Active4D-dev mailing list
>[hidden email]
>http://list.aparajitaworld.com/listinfo/active4d-dev
>Archives: http://active4d-nabble.aparajitaworld.com/
>


_______________________________________________
Active4D-dev mailing list
[hidden email]
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/
Reply | Threaded
Open this post in threaded view
|

Re: Can't download uploaded files after upgrade

Perkins, Bradley D
I wanted to test the assumption that every directory in the path to
uploads must be executable by Apache.
I was able to validate this by chmod o+x on each of these where needed:

/Users/
/Users/webclient/
/Users/webclient/Library/
/Users/webclient/Library/Application Support/
/Users/webclient/Library/Application Support/4D/
/Users/webclient/Library/Application Support/4D/com.aparajita/
/Users/webclient/Library/Application Support/4D/com.aparajita/Active4D/
/Users/webclient/Library/Application Support/4D/com.aparajita/Active4D/web/
/Users/webclient/Library/Application
Support/4D/com.aparajita/Active4D/web/uploads/

I can now download files!

However, I really don't like that anyone can execute in those paths and
need to figure out how to specifically allow _www those privileges.

-- Brad


On 10/27/14 11:51 AM, "Perkins, Bradley D" <[hidden email]> wrote:

>If you mean a <Directory "/Users/webclient/Library/Application
>Support/4D/com.aparajita/Active4D/web/uploads  in my Apache config files I
>don't.
>
>I added that and restarted Apache. Documents are still Forbidden.
>
>/Library/WebServer/Documents/TWP/docs has a symlink to
>/Users/webclient/Library/Application
>Support/4D/com.aparajita/Active4D/web/uploads
>
>In looking at my the old server configuration files https.conf simply has
>this:
>
>## First, we configure the "default" to be a very restrictive set of
>## features.  
>##
><Directory "/">
>  Options FollowSymLinks
>  AllowOverride None
></Directory>
>
>The site specific virtual host configuration files have e.g. this:
>
><Directory "/Library/WebServer/Documents/TWP">
>  <IfModule mod_dav.c>
>    DAV Off
>  </IfModule>
>  Options All +MultiViews -ExecCGI -Indexes -Includes
>  AllowOverride None
> </Directory>
>
>I never explicitly specified settings for docs/srts/ or paths to Active4D
>files.
>
>
>The only thing that is really different is that for V11 I was able to put
>my Active4D files in
>/Library/Application Support/4D/com.aparajita
>
>With v14 and A4D 6.1 I had to put them in
>/Users/webclient/Library/Application Support/4D/com.aparajita
>
>I'm thinking that Apache was able to deal with A4D files in the system
>root path, but not buried in a /User/... Path.
>
>I've done a lot of reading on this and I suspect that Apache requires
>execute access to all folders in the path in order to serve files. Without
>this, you'll get a HTTP 403 (forbidden).
>
>That would mean I would need to give Apache execute access to
>/Users/
>/Users/webclient/
>
>/Users/webclient/Library/
>
>/Users/webclient/Library/Application Support/
>
>/Users/webclient/Library/Application Support/4D/
>
>/Users/webclient/Library/Application Support/4D/com.aparajita/
>
>/Users/webclient/Library/Application Support/4D/com.aparajita/Active4D/
>
>/Users/webclient/Library/Application
>Support/4D/com.aparajita/Active4D/web/
>
>/Users/webclient/Library/Application
>Support/4D/com.aparajita/Active4D/web/uploads/
>
>Setting the user or group to _www for most of those seems like a bad idea.
>I have to admit that I don't know how set that explicitly for the _www
>user with chmod. I expect this involves using ACLs.
>
>Thanks,
>
>
>Brad
>
>
>
>On 10/27/14 10:30 AM, "Aparajita Fishman" <[hidden email]>
>wrote:
>
>>> I've tried what I think you are suggesting e.g.,
>>>
>>> <Directory /Library/WebServer/Documents/TWP/docs/srts >
>>>    Options FollowSymLinks
>>>    AllowOverride None
>>>    </Directory>
>>
>>
>>Do you have an entry for the target of the symlink, i.e.
>>/Users/webclient/Library/Application
>>Support/4D/com.aparajita/Active4D/web/uploads?
>>
>>Regards,
>>
>>  Aparajita
>>
>>_______________________________________________
>>Active4D-dev mailing list
>>[hidden email]
>>http://list.aparajitaworld.com/listinfo/active4d-dev
>>Archives: http://active4d-nabble.aparajitaworld.com/
>>
>
>
>


_______________________________________________
Active4D-dev mailing list
[hidden email]
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/
Reply | Threaded
Open this post in threaded view
|

Re: Can't download uploaded files after upgrade

aparajita
Administrator
> However, I really don't like that anyone can execute in those paths and
> need to figure out how to specifically allow _www those privileges.

You could probably do it with an ACL, which is more fine-grained than regular permissions. Don't ask me how though.

Regards,

  Aparajita

_______________________________________________
Active4D-dev mailing list
[hidden email]
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/
Reply | Threaded
Open this post in threaded view
|

Re: Can't download uploaded files after upgrade

Perkins, Bradley D
That is what I have been looking into. And yes, it isn't very clear how to
do it. Unlike the POSIX permissions there doesn't seem to a direct
corollary of "x" for an ACL. I'm probably going to have to leave it as is
for now.

Maybe the better alternative is to have Active4D copy the uploads to a
folder within the Apache web root?

-- Brad

On 10/27/14 1:47 PM, "Aparajita Fishman" <[hidden email]>
wrote:

>> However, I really don't like that anyone can execute in those paths and
>> need to figure out how to specifically allow _www those privileges.
>
>You could probably do it with an ACL, which is more fine-grained than
>regular permissions. Don't ask me how though.
>
>Regards,
>
>  Aparajita
>
>_______________________________________________
>Active4D-dev mailing list
>[hidden email]
>http://list.aparajitaworld.com/listinfo/active4d-dev
>Archives: http://active4d-nabble.aparajitaworld.com/
>


_______________________________________________
Active4D-dev mailing list
[hidden email]
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/
Reply | Threaded
Open this post in threaded view
|

Re: Can't download uploaded files after upgrade

aparajita
Administrator
> Maybe the better alternative is to have Active4D copy the uploads to a
> folder within the Apache web root?

That is simple enough. Just use 'copy upload', and make sure to put the target directory is "safe doc dirs".

Regards,

  Aparajita

_______________________________________________
Active4D-dev mailing list
[hidden email]
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/