Yes The issue is permission related. I replicated the permission structure from
Now its working the way I want.
But The Original problem that created all the new problem still persists.
I can access app.mydomain.in/user-docs folder as a directory from a browser. Its not that big of a problem, but this does make my clients files/documents vulnerable.
I tried various things already. I can tell you what doesn't work.
owner:daemon + 775 Doesnt work.
owner:daemon + 755 Doesnt Work
owner:bitnami + 755 Doesnt work.
owner:bitnami + 775 Is the only thing that seems to work for me. But the issue is what i mentioned above.. anyone can access the files in the user-docs directory. There won't be super sensitive files there so its still fine. But things like invoices, purchase orders etc will be there so better safe than sorry. I'd like to find out how to fix this vulnerability.
fix it in a way that you cant access app.domain.in/user-docs as a directory, but can access app.domain.in/user-docs/file.pdf so that anyone with the actual link to the file can download it, so that my client can share it to who they want to without attaching it to the email. I'm assuming this is possible since ive seen it on other sites, and for what i have gathered in the past few days, giving the "execute" right to "public" would allow them to download???
I get what you mean when you said "What doesn't make sense to me is that the PHP-FPM user is daemon" coz I came to the same logic.
TCPDF is a very vanilla plugin. It works where ever you put it, doesn't require any special configuration. And If it does, I haven't done any. Bt even if that was the case, uploading files to a folder via PHP should have worked. So I'm sure that TCPDF doesn't require any config.
I ran the whoami code the answer on both the domains is
This is more that what I signed up for, but at the same time I'm glad I'm learning all this.
Any thoughts on how to patch this vulnerability?? Could really use some..
Thanks & Regards,
PS : My new directory structure for the
app domain ->link the
beta domain is identical to this. I'm surprised as to how this is working but this seems to be the only permission setup that works for me. Just the 1 problem I mentioned above.