tags:

views:

45

answers:

3
+1  Q: 

PHP upload permission problem

right guys ive ran into a problem with file permissions with the following upload form. a text file is passed to the upload/ dir by global users.

mysite$ ls -l
drwxrwxrwx 2 user user 4096 2010-09-24 13:07 upload

but as I am not logged in as root, the new file uploaded to the domain saved itself in the upload/ dir with limiting permissions and cannot be modified. eg. 

upload$ ls -l
-rw-r--r-- 1 www-data www-data 3067 2010-09-24 13:07 Readme.txt

this problem is obviously the same for all files added to the upload folder by global users. once the file is uploaded I need a way of changing the file rights without embedding the root password into a php script running on the domain. please help!

is there any way to associate the same rights to files as the containing folder when new files are added?

submit form:

<html>
<body>

<form action="upload_file.php" method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" /> 
<br />
<input type="submit" name="submit" value="Submit" />
</form>

</body>
</html>

upload_file.php:

<?php
if ($_FILES["file"]["type"] == "text/plain")
  {
  if ($_FILES["file"]["error"] > 0)
    {
    echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
    }
  else
    {
    echo "Upload: " . $_FILES["file"]["name"] . "<br />";
    echo "Type: " . $_FILES["file"]["type"] . "<br />";
    echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
    echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";

    if (file_exists("/home/user/mysite/upload/" . $_FILES["file"]["name"]))
      {
      echo $_FILES["file"]["name"] . " already exists. ";
      }
    else
      {
      move_uploaded_file($_FILES["file"]["tmp_name"],
      "/home/user/mysite/upload/" . $_FILES["file"]["name"]);
      echo "Stored in: " . "upload/" . $_FILES["file"]["name"];
      }
    }
  }
else
  {
  echo "Invalid file";
  }
?>
+1  A: 

You can use chmod to change the file permissions.

To get the permissions of a file, use fileperms.

Jeff Rupert  2010-09-24 13:51:58
thanks, but how can I use this permission output to solve the problem?
JB87  2010-09-24 13:57:36
After you've uploaded the file, you can use `fileperms` on the folder to get the permissions, then use `chmod` with the result of `fileperms` to set the permissions as you want.
Jeff Rupert  2010-09-24 14:01:33
thanks for the tip, I could see how this could work for dynamic systems with multiple folders and users.
JB87  2010-09-24 15:05:46
+1  A: 

The user, that initially writes the files into your "/upload" directory, is the one that started the Apache instance running a PHP module.

In other words, PHP is the "owner" of all uploaded files and through a PHP script you can change the permissions of all relevant uploaded files without providing any credentials at all:

PHP chmod function

A quick and dirty hack to make uploaded files writable to all users would be

else 
      {
      move_uploaded_file($_FILES["file"]["tmp_name"], 
      $f="/home/user/mysite/upload/" . $_FILES["file"]["name"]); 
      chmod($f, 0777);
      echo "Stored in: " . "upload/" . $_FILES["file"]["name"]; 
      }
Saul  2010-09-24 14:03:27
thanks for the hack, but after trying it instead of getting full rights I get some very strange permissions? '-r----x--t 1 www-data www-data 0 2010-09-24 15:53 readme.txt'
JB87  2010-09-24 14:55:15
This because the file has sticky bit, which again comes with move_uploaded_files function.
Ibrahim  2010-09-24 15:01:12
looks like there was a typo. in PHP the correct format is 'chmod($f,0777)'. leading zero was missing. this now works perfectly!!
JB87  2010-09-24 15:03:46
@JB87: Fixed that typo.
Saul  2010-09-24 15:16:17
As well, you can make the `upload/` directory SETGID (mode 2xxx), which forces any new files within it to be created with the upload directory's group ownership.
Marc B  2010-09-24 15:24:41
+1  A: 

move_uploaded_file uses umask(600). Use copy($source, $dest) instead of move.

Ibrahim  2010-09-24 14:05:52
thanks for the umask(600) info on move_uploaded_file, where can I quickly reference more info like this? on the PHP module rights in linux
JB87  2010-09-24 15:04:54
I checked it on my system by calling umask function before and after move_uploaded and copy function in a test php script.
Ibrahim  2010-09-24 15:50:49

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases