ColdFusion Folder Permission becomes read only

Question

Running ColdFusion 10 currently, but this has been an ongoing issue for years, perhaps throughout CF6/7.

As part of a CMS, part of the validation is that the images are uploaded to a directory e.g.

<cffile action="UPLOAD" filefield="image" destination="media/img/" nameconflict="MAKEUNIQUE" accept="image/jpeg,image/gif,image/pjpeg" mode="644">

They are then read by a script which checks dimensions.

If everything passes, the process script moves it to it's destination directory e.g.

<cffile action="MOVE" source="media/img/imagename" destination="media/img/#hexdir#/imagename" mode="644">

If it fails it should be deleted.

<cffile action="DELETE" file="media/img/imagename">

Every once in a while the /img/ directory becomes read only, the file cannot be written. But I cannot identify the cause of this.

Is there a bug that I am not aware of? any ideas?

Thanks

Additional information

I considered using CFDirectory to change the folder permission in a script, so it can be quickly resolved if it happens again.

I found two issues

On UNIX and Linux, cfdirectory action = "list" does not return any information in the mode column.

Also

Using the rename folder with permissions of 644,777,111 do not seem to affect the permissions of the folder that I can view in FileZilla.

Could this mean that CF could not have changed the folder permission in the first place?

Answer 1

It sounds like you are running ColdFusion on a Linux server. For that I would suggest you read up on the auditd tool and use it to watch your directory to see what is causing the change. It will give you the processthat is causing the change but if it is ColdFusion you will still have to track down the CFM/CFC that is causing that change.

Be warned your audit log could get noisy if you are constantly moving files in and out of the directory.

Assuming your img directory is something like /mnt/media/img, just add a rule to /etc/audit/audit.rules like the following and restart the daemon:

-w /mnt/media/img

You should be able to then clear (or set) the read-only bit for that folder and see it show up in the log (probably: /var/log/audit/audit.log)

type=SYSCALL msg=audit(1407866490.247:114): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=17be0f0 a2=1ff a3=4000 items=1 ppid=2859 pid=3069 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="chmod" exe="/usr/bin/chmod" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1407866490.247:114):  cwd="/root"
type=PATH msg=audit(1407866490.247:114): item=0 name="/media/mnt/img" inode=6171184 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:httpd_sys_content_t:s0