views:

39

answers:

3

I have developed a small web app.

This app allows users to upload images. It also produces text files with the names of those images (the names are stored and retrieved to/from an MySQL Database.)

I have developed this app using MAMP. To create the uploaded image files I use the PHP function

imagejpeg('my/path/name.jpg')

and to delete the files I use the PHP function

unlink('folder1/folder2/name.jpg')

to write to the text document I am using the function

fopen('folder1/folder2/name.txt', 'w')

all three of these functions produce errors related to permissions - now the site has been moved to a live hosting environment.

Why is this? and what permissions do I need to set the folder's folder1 and folder2 to?

I know that permission 777 is generally bad because it opens up your server to the public. However what I have found is that the functions fail to work unless I use 777 on the folders. Can anyone shed any light on my dilemma?

A: 

Rather than just changing permissions, have you looked at the ownership of the folders? The webserver runs as a different user the user developing and deploying the scripts and folders. A simple fix might be changing the folder owner to the webserver user.

gurun8
can you expand on your answer?
Ashley Ward
how do I change the folder owner? and what would I change it to?
Ashley Ward
Assuming your on a Linux/Unix OS, look into chown. http://www.computerhope.com/unix/uchown.htm
gurun8
+1  A: 

There is a solution I find elegant, but maybe I am the only one :) Change the group owner of your directories to www-data and set the rights to 775.

chown -R :www-data folder1
chmod -R 775 folder1
Romain Deveaud
You can constrain those permissions even further really. There's no reason for anyone else but the web user to have the read and execute bits enabled for users who are not the owner of the file or part of the file's group.
Steve Finkelstein
who is this owner? How do I access this info? My issue is that I am fairly new to terminal and would prefer to do it through GUI.
Ashley Ward
+2  A: 

Do not blindly set the folder's permissions to 777, that enables the read,write,execute bits to every user on the system.

You should always grant the least amount of privileges required for your application to run as an general security precaution.

I don't know much about your application's requirements from your question above, but it seems the culprit directories only need read/write/execute permissions for you and the user that the web server runs as. You can simply grant them to the web user and then use sudo to access them yourself.

read - so you can get a directory listing.
write - create new or delete existing files in the directory or rename files. (eg: usage of the unlink() function)
execute - so you can change into and access the directory.

In your case, the following should work fine:

chown -R www-data: folder1/
chmod 700 folder1/ folder1/folder2/

This is assuming your web server is running as the user www-data. If you want to have access to the directories and their respective files via FTP or a bash shell without the use of sudo, you'll need to create a group such as wwwusers and add everyone who needs access to those directory in that group. Then do something like:

chown -R www-data:wwwusers folder1/
chmod 770 folder1/ folder1/folder2/

By the way, my response is naive in that I'm assuming you have root on the server and that there isn't anything like POSIX ACLs enabled or something such as grsecurity. With ACLs, you would need to do something such as setfacl -mu:www-data:rwx /path/to/dir. In that event, you will most likely need to seek assistance from your hosting provider.

You really should understand the fundamentals of how permissions works on directories and files on a unix or unix-like filesystem. Make sure you run man chmod, man chown. You can also learn more here on UNIX permissions and here.

Steve Finkelstein
thanks steve. I will do some research with what you've given me.
Ashley Ward
how do you find out what username your webserver is running as?
Ashley Ward
You'll want to use the ps command to get information on a process. Try ps aux |grep -i apache|awk '{print $1}'. Type 'man ps' to learn more about the ps command and how to get all types of different information about running processes on your system.
Steve Finkelstein