G2 Security Issue after upgrade

dgwyn

Joined: 2005-01-28
Posts: 6
Posted: Sun, 2005-02-20 23:29

I upgraded with a nightly build and now can't get into my gallery at all. I've tried wiping out everything and still get this error message. I'm at 8.14 and there are no errors reported when I install the upgrade.

Security Violation The action you attempted is not permitted.
Back to the Gallery
Error Detail -
Error (ERROR_BAD_PARAMETER):
in file modules/core/classes/helpers/GalleryEntityHelper_simple.class at line 51 (gallerystatus::error)
in file modules/core/classes/GalleryCoreApi.class at line 2120 (galleryentityhelper_simple::loadentitiesbyid)
in file init.php at line 167 (gallerycoreapi::loadentitiesbyid)
in file main.php at line 132
in file main.php at line 46
in file main.php at line 39

----

Gallery URL (optional):
Gallery version:
Webserver (with version):
Datatabase (with version):
PHP version (eg 4.2.1):
phpinfo URL (optional):
Graphics Toolkit(s):
Operating system:
Web browser/version:

 
mindless
mindless's picture

Joined: 2004-01-04
Posts: 8601
Posted: Mon, 2005-02-21 00:34

hm, that's a misleading subject.
anyway, try clearing cookies in your browser.
also try lib/tools/test/index.php FlushCache test.
either of those work?

 
speckle

Joined: 2004-12-09
Posts: 36
Posted: Thu, 2005-02-24 09:44

i have the same problem. is there a solution?

 
KAC

Joined: 2004-12-01
Posts: 164
Posted: Tue, 2005-04-05 11:43

I have this same "Security Violation" problem after installing the 4-4 build. I did a fresh install with the nightly snapshot and created a new DB table to start everything over.

I also ran the lib/tools/test/index.php test that mindless suggested. It asked me for my password then I get :
Error (ERROR_BAD_PARAMETER)

* in modules/core/classes/helpers/GalleryEntityHelper_simple.class at line 50 (gallerystatus::error)
* in modules/core/classes/GalleryCoreApi.class at line 2092 (galleryentityhelper_simple::loadentitiesbyid)
* in init.inc at line 149 (gallerycoreapi::loadentitiesbyid)
* in lib/tools/test/index.php at line 31
* in lib/tools/test/index.php at line 11

Same error I get when I tried to access the site.

I read all the security violation posts I could find. The only one that had any decent info talked about having the wrong layout trying to load or something like that.....??????

Any help would be appreciated!

 
mindless
mindless's picture

Joined: 2004-01-04
Posts: 8601
Posted: Tue, 2005-04-05 16:12

KAC, what do you get for:
select g_parameterName, g_parameterValue from g2_PluginParameterMap where g_pluginId='core' and g_parameterName like 'id%';

 
KAC

Joined: 2004-12-01
Posts: 164
Posted: Wed, 2005-04-06 16:59

mindless,

I'm sorry but by the time I saw your post here, I had already fixed my problem so I didn't get a chance to test what you suggested.

I would like to explain what I found and how I fixed it because it does lead me to another question.

Well, I have the G2 gallery in a subfolder such as:
/domain/public_html/g2gallery/

with the pictures actually stored outside the "public_html" folder at
/domain/g2files

Well when I upgraded to the 4-4 snapshot, I deleted everything in /domain/public_html/g2gallery/. I also deleted the database table and created a new one so I could start from scratch.

I discovered that when I originaly installed Gallery, it created some folders inside /domain/g2files/ called "locks", "smarty", "album" etc.

The problem was that I could not delete or overwrite them because they were not originally installed/created as MY user name, they were installed/created by username "Apache". Therefore, I did not have rights to overwrite them when I added the new 4-4 build.

I found this out after speaking to my host provider who WAS able to delete those folders. Before my host deleted those folders for me, I was able to see in the file manager of my directadmin page that those folders were indeed owned by user "Apache".

After the host deleted all the folders owned by user Apache", I created a new "g2files" folder, re-ran the install of G2 and all was well.

My question is, why does gallery install/create those folders as user "Apache" instead of my user name?

The host refered to the problem as "a software bug issue on your end".

I noticed that after installing the new build, all the subfolders of "g2files" are owned again by user "Apache" so this could pose a problem for me in the future.

Am I perhaps doing something wrong or is this indeed a G2 problem? What do you think?

 
valiant

Joined: 2003-01-04
Posts: 32509
Posted: Wed, 2005-04-06 17:10
KAC wrote:
My question is, why does gallery install/create those folders as user "Apache" instead of my user name?

The host refered to the problem as "a software bug issue on your end".

What do you think?

We do this intentionally, i.e. there's no way this could be done without using the apache user. (everything could be stored in the database, but there are various reasons why this is not a viable solution.)

Gallery lets you add images from the web browser, and various other sources. When you add an image, it must be stored on the webserver. All files on a computer have an owner. I'm not speaking of the owner in the Gallery application, I'm speaking of the owner on the filesystem level.
The webserver (apache) runs under the webserver user, which is in this case "Apache". And if you add an image in G2, it is added by a script (Gallery2) that runs in the context of the webserver. That's why all files generated by Gallery2 are owned by the user that executes the webserver (or php for php-cgi). And this user is "Apache".

So, this is not a bug. The only way all files in g2data could be owned by your user would be, if the hosting partner would use php-cgi + (php)SuExec instead of mod_php.

 
KAC

Joined: 2004-12-01
Posts: 164
Posted: Wed, 2005-04-06 17:50

Thanks for the info valiant. I just wanted to make sure it wasn't something stupid I was doing. I feel bad bugging my host for help deleting files all the time. All the tests I've been doing with the Mambo/G2 integration has me bugging them a couple of times a week cuz Mambo does the same thing....creates files as user Apache.

I'll mention the php-cgi + (php)SuExec instead of mod_php thing you suggested.

BTW, I noticed the 4-4 build install and admin pages run MUCH better now than the old early February build I had. Nice job!

 
valiant

Joined: 2003-01-04
Posts: 32509
Posted: Wed, 2005-04-06 17:56

When you mention the php-cgi thing when talking to your host, they will tell you why they're not using it (mostly because of performance). I wouldn't ask them to offer php-cgi hosting. Either they do, or they don't...

Most probably you could delete/empty your g2data folder yourself.
Either with a filebrowsing tool in your domain control panel if something like that exists. Or by using a php script that deletes the files.

 
mindless
mindless's picture

Joined: 2004-01-04
Posts: 8601
Posted: Wed, 2005-04-06 18:03

KAC, see the G2 FAQ for how to delete files created by php.

 
KAC

Joined: 2004-12-01
Posts: 164
Posted: Wed, 2005-04-06 18:41
mindless wrote:
KAC, see the G2 FAQ for how to delete files created by php.

sAAAAweeEEEET!!

I found cleanup.php
:D

Thanks for pointing me there.