Topic on Project:Support desk

Images upload but won't display

11 comments • 06:47, 14 April 2019 5 years ago

11

I'm running MediaWiki 1.30.0 on a remote server which uses a platform called Fusion Forge. The PHP version is 5.6.33-0+deb8ul. The mysql version is 5.5.59-0+deb8ul (Debian). URL of the wiki is https://comun.ourproject.org/en/w/

It is a new installation, about 3 weeks old.

Everything is working fine, as far as I know, except one thing:

Images. They upload OK. But the directory permissions get set so that the file is unreadable to anyone but the system administrator. So the files are there but can't be displayed.

Example: I just uploaded a file callled CBGB_club_facade.jpg. A subdirectory of /images/ was created: /images/d/da/ .

The file is there: /images/d/da/CBGB_club_facade.jpg . But the file permissions of /images/d/ are:

drwx--S---

In other words, system administrator can read, write and execute, but no one else can get into the directory. So the image does not display.

The file permissions of the image itself are:

-rw-r--r--

So everybody, admin, group and others, have read permissions here and could presumably read the file if they could get into the directory but they can't.

If I change the directory permissions manually, by logging onto the server and using the shell program, the file would become viewable. I have done this with several files already, e.g., File:Simple_surplus_value_model.png ( https://comun.ourproject.org/en/w/index.php?title=File:Simple_surplus_value_model.png ). This solves the problem, sort of, but is obviously too labourious to be used as a general method.

I have set the permissions of the /images/ directory itself to be maximally permissive:

drwsrwsrwx

So I don't think the new subdirectories are just inheriting restrictive permissions from the parent directory, /images/ .

The permissions of the root directory of the wiki ( htdocs/en/w/ ) are:

drwxrwsr-x

So I don't think they're inheriting restrictive permissions from there, either.

Where do the new subdirectories get their permissions from?

How can I get the permissions to be set properly when a file is uploaded?

-- ~~~~

Reply 01:55, 1 March 2018 6 years ago

星耀晨曦 (talkcontribs)

I do not really understand what is S permission, but I think you do not have the correct files and directories owner. Minimum require: Please make sure your webserver-user are owner of these files. Then assign rwx permissions to the directory and assign rw permissions to the file. Like there:

drwxrwx---. 24 apache      apache   4096 Feb 28 01:16 images

-rw-rw----. 1 apache apache 15233 Dec 14 14:27 images/1/15/Edit-copy_green.svg

Reply Edited 06:39, 1 March 2018 6 years ago

Communpedia Tribal (talkcontribs)

Hi, thanks for the responses so far. The S and s permissions are used to indicate the set-user-id and set-group-id bits. They are actually a combined message that indicates the set-id bit and the executable bit at the same time. Upper case S means the set-id bit is true, but executable bit (x) is not true. Lower case s means set-id true and executable true.

You wonder if I have the correct files and directories owner. I am quite sure that I do. It is the webserver-user (comproject_admin). This is the user name with which I got the account and in fact the only user which has written or changed anything in these directories.

I am including a screenshot of the shell program showing the permissions and user names of some directories and files.

I am starting to think that maybe the problem is as follows. Please tell me if this makes any sense:

When the mediawiki program is operating, it is not logged on to the host, it is just running PHP commands.
So when it tells the host operating system to make a new directory the operating system treats that not the same way as it would treat a mkdir command form a logged-in user. It makes the directory with more restrictive permissions.
So maybe the problem is in the way the host is configured?

I also have this question:

Where in the mediawiki-1.30.0 code is the command given which makes the new directory to put a newly uploaded image into? Which PHP file? Could I add a few lines of code to this to force the directory to be made with the correct permissions? Something analogous to "mkdir -m o=rx" ?

Reply 03:54, 3 March 2018 6 years ago

星耀晨曦 (talkcontribs)

You can chmod 777 -R your images directory, and if you solve your problem, this may a permission problem. If not solve, this may be caused by more complex reasons. Your should enable debug log in your LocalSettings.php to provide more detailed information.

Reply 10:11, 3 March 2018 6 years ago

Ciencia Al Poder (talkcontribs)

setuid and setgid special flags shouldn't be needed on a MediaWiki installations

MediaWiki runs from PHP, and depending on how it's set up, it may be run directly by the webserver (in apache with apache mod_php) or as a standalone application (when using php-fpm). You should find which users and groups are being used for running php. But be assured that every action is made by a user, in that case a process that's being run as such user.

MediaWiki installation files normally should not be owned by the same user running PHP. Ideally they should be owned by root (so PHP can't modify those files), and give read permissions to group, which should be the same user running PHP.

Upload directory should be owned by the user running PHP, and be readable by all. That allows PHP (= MediaWiki) to create/rename/delete files as it needs, and the webserver to read and serve them to users.

Reply 10:17, 3 March 2018 6 years ago

Communpedia Tribal (talkcontribs)

Hello again.

Running chmod 777 -R on the images directory made all of the existing files visible. That is good. However, new uploads -- that is, uploads done after I run the chmod -- are still invisible.

You said it is best if MediaWiki installation files are owned by root. I'm not sure I can do this because I am not root. I think root would be the administrators of the host, Ourproject.

I put echo get_current_user(); in LocalSettings.php and it tells me that the current user is comproject-admin.

I ran debug log and you can see the results at https://comun.ourproject.org/en/w/c_a_add-ons/debug_log_upload_2.txt

This is the debug log resulting from three operations:

Viewing the Main Page
Viewing Special:Upload
Using Special:Upload to upload a file.

Maybe you can see what is wrong by looking at that debug log. It is somewhat mysterious to me.

But:

I have a potential work-around for the problem. I have tested the following code in LocalSettings.php and it works:

shell_exec('chmod o+rw -R test_dir');

It changes the permissions of a test directory I made, called 'test_dir'.

All I need to do is put similar code into the MediaWiki PHP code, at the place immediately after it makes the new directories for images. It will give them the necessary permissions.

But I don't know the place in the MediaWiki code that performs image uploads. Can you tell me?

Reply Edited 04:53, 4 March 2018 6 years ago

星耀晨曦 (talkcontribs)

You should not modify the core file. But you can achieve your meets via extension or hook. In this case, you can use UploadComplete hook in your LocalSettings.php, it called when a file upload has completed. However, you should find out why the picture can't display.

Reply 05:16, 5 March 2018 6 years ago

Communpedia Tribal (talkcontribs)

Thank you. I'll work on it some more.

Reply 06:20, 5 March 2018 6 years ago

星耀晨曦 (talkcontribs)

In addition, you have to remove your debug log from public web.

Reply 07:24, 10 March 2018 6 years ago

Ciencia Al Poder (talkcontribs)

Reason for the uppercase "S": https://unix.stackexchange.com/a/27254

Reply 10:16, 1 March 2018 6 years ago

Cyrax (talkcontribs)

Communpedia Tribal, could you fixed this problem? How did you it? I have the same problem :/

Reply 06:47, 14 April 2019 5 years ago

Reply to "Images upload but won't display"