Web App fails when moved to production environment. Which server permissions do I need?

Question

I have developed a small web app.

This app allows users to upload images. It also produces text files with the names of those images (the names are stored and retrieved to/from an MySQL Database.)

I have developed this app using MAMP. To create the uploaded image files I use the PHP function

imagejpeg('my/path/name.jpg')

and to delete the files I use the PHP function

unlink('folder1/folder2/name.jpg')

to write to the text document I am using the function

fopen('folder1/folder2/name.txt', 'w')

all three of these functions produce errors related to permissions - now the site has been moved to a live hosting environment.

Why is this? and what permissions do I need to set the folder's folder1 and folder2 to?

I know that permission 777 is generally bad because it opens up your server to the public. However what I have found is that the functions fail to work unless I use 777 on the folders. Can anyone shed any light on my dilemma?

Answer 1

Rather than just changing permissions, have you looked at the ownership of the folders? The webserver runs as a different user the user developing and deploying the scripts and folders. A simple fix might be changing the folder owner to the webserver user.

Answer 2

There is a solution I find elegant, but maybe I am the only one :) Change the group owner of your directories to www-data and set the rights to 775.

chown -R :www-data folder1
chmod -R 775 folder1

Answer 3

Do not blindly set the folder's permissions to 777, that enables the read,write,execute bits to every user on the system.

You should always grant the least amount of privileges required for your application to run as an general security precaution.

I don't know much about your application's requirements from your question above, but it seems the culprit directories only need read/write/execute permissions for you and the user that the web server runs as. You can simply grant them to the web user and then use sudo to access them yourself.

read - so you can get a directory listing.
write - create new or delete existing files in the directory or rename files. (eg: usage of the unlink() function)
execute - so you can change into and access the directory.

In your case, the following should work fine:

chown -R www-data: folder1/
chmod 700 folder1/ folder1/folder2/

This is assuming your web server is running as the user www-data. If you want to have access to the directories and their respective files via FTP or a bash shell without the use of sudo, you'll need to create a group such as wwwusers and add everyone who needs access to those directory in that group. Then do something like:

chown -R www-data:wwwusers folder1/
chmod 770 folder1/ folder1/folder2/

By the way, my response is naive in that I'm assuming you have root on the server and that there isn't anything like POSIX ACLs enabled or something such as grsecurity. With ACLs, you would need to do something such as setfacl -mu:www-data:rwx /path/to/dir. In that event, you will most likely need to seek assistance from your hosting provider.

You really should understand the fundamentals of how permissions works on directories and files on a unix or unix-like filesystem. Make sure you run man chmod, man chown. You can also learn more here on UNIX permissions and here.