tags:

views:

83

answers:

4
Q: 

Still don't understand file upload-folder permissions

I have checked out articles and tutorials.

I don't know what to do about the security of my picture upload-folder.

It is pictures for classifieds which should be uploaded to the folder.

This is what I want:

 Anybody may upload images to the folder.
 The images will be moved to another folder, by another php-code later on (automatic).
 Only I may manually remove them, as well as another php file on the server which automatically empties the folder after x-days.

What should I do here?

The images are uploaded via a php-upload script. This script checks to see if the extension of the file is actually a valid image-file.

When I try this:

   chmod 755 images

the images wont be uploaded.

But like this it works:

   chmod 777 images

But 777 is a security risk right?

Please give me detailed information...

The Q is, what to do to solve this problem, not info about what permissions there are etc etc...

Thanks

If you need more info let me know...

+2  A: 

0 No Permissions (the user(s) cannot do anything)

1 Execute Only (the user(s) can only execute the file)

2 Write Only (the user(s) can only write to the file)

3 Write and Execute Permissions

4 Read Only

5 Read and Execute Permissions

6 Read and Write Permissions

7 Read, Write and Execute Permissions

First number = OWNER Second number = GROUP Third number = OTHER USERS

Neurofluxation  2010-06-02 14:25:44
Note that "execute" permission on a directory means permission to cd into it. "write" permission allows you to create *or* delete files in it.
Paul Tomblin  2010-06-02 14:28:56
+3  A: 

You have to make sure the upload folder is owned by apache or whoever user is as which the http server is started.

Alternatively you can use 775 owned by the UID who will be collecting the files and with as gid the group id as which the webserver is started.

There are of course variations on these themes.

As long as the webserver user or webserver group has permission to write in the folder, it will be fine for uploading.

There are all kind of cornercases, but then we'll need more info about your setup.

Peter Tillemans  2010-06-02 14:31:10
How can I check which user is as which the http server is started? Apache2.conf?
Camran  2010-06-02 14:35:50
@Camran: Yes, there should be a `User` (and possible a `Group`) entry somewhere in `apache2.conf` or `httpd.conf`
R. Bemrose  2010-06-02 14:38:56
Okay. Checked that now, it is the correct user... So thats fine... But I still have to set the permissions on the folder to 777 in order for the images to be uploaded. Wont work otherwise...
Camran  2010-06-02 14:59:03
Really, ownership is the main problem that people have with file uploads. The folder's permission means nothing without that context.
Typeoneerror  2010-06-02 16:45:26
A: 

One possibility for why it only works with 777 permissions might be if you are running SELinux. It's possible that it is preventing the write. I would have thought though that it would have prevented it even with the 777 permsissions but I'm no SELinux expert.

Troubadour  2010-06-02 16:37:03
Certainly this answer may be wrong but it's at least an attempt. Is is really deserving of a downvote (anonymous at that) instead of no vote?
Troubadour  2010-06-02 16:51:42
A: 

Every newbie mix users up. :)
You just have to distinguish OS user and website user.
The latter one has nothing to do with OS permissions.

For the OS users you have given 2 of them:

  1. FTP user, owner of the files, uploaded via FTP

  2. webserver user, owner of the files uploaded via browser.

So, in case both these users are the same, you have no worry about.
But usually these are different users. So, one has no access to other's files unless directories has 777 and files 755.
That's why you have to set 777 for directories.
As we have learned above that website users has nothing to do with os permissions, you should not worry about security. 777 is ok.

Col. Shrapnel  2010-06-02 16:46:58
-1: 777 is never okay.
Troubadour  2010-06-02 16:49:20
@Troubadour got a scenario? Or it's just a prayer?
Col. Shrapnel  2010-06-02 17:05:22

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases