Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now

cant open some attachments unless running as domain admin user

We currently have OSticket 1.9.12 installed
we are using 

LDAP Authentication and Lookup

HTTP Passthru Authenticationand

Attachments on the filesystem


All of IT logged in as domain admins and we where able to open all attachments, we have now moved to standard accounts using privileged escalation. If i login to a domain account then login with my normal OSticket credentials I can see the files, if i login using my normal account and login to osticket I cannot see the file. This effects only some attachments, seems to be .png files

any further detials please ask. Both users also have full permissions on the uploads folder and all sub folders

Comments

  • Please provide a bit more details to your environment other than just the OST installation. What is your PHP, Database, and web server versions to start with? 
  • You are using attachments on the filesystem.
    Since the admin account can see the files... and the user (non-admin) cannot then I would presume that your problem is permissions on the attachments.
  • The issue is now resolved by adding the IIS_IUSRS to the folder. This is needed and is due to how IIS handles permissions on differnt types of files. For anybody reading this in the future you want to add read permissions only for the IIS_IUSR account and you only want to add this user to the uploads folder and all of its subfolders. You do not need to add this account to the rest of your OS ticket folders. For people on a older version of IIS that IIS 7.0 you will need to add the IIS_WPG user.

    Any questions I am happy to help and thank you for all those who replied
  • Actually I believe that this is because of how PHP handles permissions under windows.  Files uploaded via PHP inherit the permissions of the temp folder where the files is stored (created) as it is uploaded.  Then once it is moved it does not inherit the permissions on the folder where it is moved to upon completion. 

    Have you tried uploading another file after your fix to ensure that it gets the read permission?
  • No i have not tried this, i will check though I found my solution i think is working on Microsofts iis documentation on file uploads. I will check tho
  • I have now checked and my solution if definitely working. It is Microsoft's recommended file permissions for an uploads folder when using IIS. This folder doesn't need to be in the web directory it can be anywhere on the machine or on a SAN somewhere. Not sure if anybody is running a OS ticket install of that scale however to have those requirments
  • Thanks for checking. :)
  • Nope I am wrong it seems to have done it again this time with a docx file, going back to your suggestion earlier what would you suggest. Just seems odd the domain admins can access this file when it should be based on the web servers permissions
  • take a look at your php.ini and find out where the php temp folder is.
    Browse to the folder and give the IIS_IUSR user rights on the folder (Read is fine).
    Then open a test ticket, and attach a file, and see if it works.

  • changed the temp folder and added IIS_IUSR has done the trick
  • Great!  Should I close this and mark it resolved then?
Sign In or Register to comment.