views:

45

answers:

2

Hi,

I have developed a download/upload manager script that will be used by many people.

When i upload a file via POST method it is stored in a folder called files , the files folder is within another folder called download-manager.

Now it seems when i upload via the POST method 0666 CHMOD works when i want to rename, delete the file but the download-manager folder and the files folder need to be 0777 CHMOD for this to work. Now can someone tell me if this is dangerous?

1) i got a deny all in .htaccess so nobody can access the files directory via a browser

2) the upload script is protected by a username and password which the person who uses the script will obviously change, so only admins can basically upload, rename, edit, delete files and the records in the mysql database.

When a file is uploaded a record is added to the database with information like file type, file name, file size etc and then the unique id (auto incremented by mysql) is appended to the process.php file which gets the file from the directory and mime type etc that is not revealed, the process.php basically does the checks to see if record and files exists and if so forces the download of that file.

Basically the download url is like: wwww.mydomain.com/process.php?file=57 , a check is done to obviously make sure that id exists in the database and that a file exists with the file name stored in the database with that id.

Now all this works fine when uploading the file via a form using POST method but i also added a manual upload so for people who want to upload a file that is larger than the size there webhost allows they can simply upload the file via a ftp program for example and then just add the filename and file details manually themselves via a form in the admin area to link the record with the file. The problem is then a permission issue because if the file is uploaded via FTP or whatever way they upload the file by the php script cannot rename, delete the file if needed in the future as the php script does not have the correct priviledges. So from what i gather i think the only option is then telling the persons who use the script to change the file chmod to 0777 for it to work, i think that will make it work?

But then i have the problem of 0777 also being executable. The script allows any file type upload as it's a download/upload manager script but at the same time i am slightly confused with all this permissions lark and what i should actually be doing. As php is limited by the max upload size set by a host i want to add manual upload so users can upload the file by another method and assign the file to the database record but then as stated i get a problem when wanting to rename, delete the file via the php script.

Sorry for this being very long and probably confusing but if you do understand what i mean can you please suggest anything or help me figure out a way of getting passed this.

I have developed the script to detect such problems and notify the user etc but i would like to try and make this script do all the leg work or nearly all of it without having to state in the manual that the admin will have to chmod the file to 0777 when they want the script to rename, delete the file, althou like i said i don't know if just chmodding the file to 0777 will actually allow the php script to the rename, delete it and so forth but also security is then a concern.

Thanks PHPLOVER

UPDATED

Ok thanks so chown the file before chmodding it on upload?

Do i just use chown() around the file and nothing else and that will make it owned by the server process and make it private? as i see you got

chown apache:apache '/path/to/files' ;

Do i need to add the apache:apache bit?

I did think of this as simpler solution, if a admin does a manual upload tell them they will have to rename/delete the file manually if needed in the future because the script won't have the correct permissions to do so, this would then make this a easy solution, as the manualupload script can just rename the db record to keep it linked to the file. That way no worries of file permission issues. Simply put user changes file manually via ftp for example from myfile.zip to somefile.zip then they edit the db record for that file and change the filename to somefile.zip from the old filename myfile.zip, that way everything is linked still but no worries about permission issues. As i also have been reading that chown() does not always work or cannot be relied on for whatever reason.

+1  A: 

1) i got a deny all in .htaccess so nobody can access the files directory via a browser

Store your files in a separate folder, away from the directory structure that houses your PHP files.

As far as the permissions on the directory are concerned, there are three ways to go about setting up the permissions on the folder:

  1. Make it world-writable (chmod 0777 '/path/to/files/')

    This is not recommended, as it has major security implications especially on a non-dedicated server; anyone who has an account or can tell a process on the server to write/delete to that folder will be able to change its contents.

  2. Make it temporary (chmod 1777 '/path/to/files/')

    This also carries a security concern, but less so than option 1 for the following reason: users cannot modify the directory--only the files they own.

  3. Make it owned by the server process and make it private (chown apache:apache '/path/to/files' ; chmod 0700 '/path/to/files')

    This is arguably the best solution.

amphetamachine
Hi,Thanks for such a prompt reply, i was limited on characters so updated my original post, if you don't mind reading it and replying that would be great. I have put UPDATED in bold so you can see what i am asking as of now.ThanksPHPLOVER
PHPLOVER
`chown` only works if you are logged in under the superuser (i.e. root) account, under which PHP should never be running; `chown` from within PHP will either fail or have no effect.
amphetamachine
Thanks for the reply.I think i will go with the easy option, when a admin want to rename/delete a file that was uploaded via ftp for example will just tell them the will have to rename/delete the file manually aswell themselves and just tell them to update the db record via edit webpage to new name so the db record and file stays linked. Seems the easiest solution. Thanks :)
PHPLOVER
A: 

Just relax & enjoy.
On many shared hostings it's the only possible solution anyway.
There is another option - to ask a user for ftp pass and use ftp for copying files from tmp, like wordpress does. But I think it's even less secure.

Col. Shrapnel
Hi does not really answer my question that i updated in original post as stated previously back to amphetamachine, Hi, Thanks for such a prompt reply, i was limited on characters so updated my original post, if you don't mind reading it and replying that would be great. I have put UPDATED in bold so you can see what i am asking as of now. Thanks PHPLOVER , will wait a repsonce from that thanks.
PHPLOVER