Zipping files through shell_exec in PHP: problem with paths.

Question

I'm working on a web backup service part of which allows the user to download a zip file containing the files they have selected from a list of what they have backed up.

The zipping process is done via a shell_exec command. For this to work I have given the apache user no-password sudo privileges to the zip command.

My problem is, since I can't do "sudo cd /path/to/user/files" to the folder containing the user's backed up files I need to specify the full absolute path to the files to be zipped which then go into the zip file which I don't want.

Here's what I mean:

The user, 'test1' has their files backed up which are stored as follows
/home/backups/test1/my pics/pic1.jpg
/home/backups/test1/my pics/pic2.jpg
/home/backups/test1/my pics/pic3.jpg
/home/backups/test1/hello.txt
/home/backups/test1/music/band/song.mp3

When these files are zipped up they keep the full paths but I just want it to show:
my pics/pic1.jpg
my pics/pic2.jpg
my pics/pic3.jpg
hello.txt
music/band/song.mp3

Is there some way to tell zip to truncate the paths, or specify a custom path for each file?
Or is there some way I can change the working directory to the user's root backup folder so I can simply specify relative file paths.

Thanks for reading, hope you got this far and it all makes sense!

Answer 1

Have you tried using chdir() to change the working directory?

chdir('/home/backups/test1/');

Answer 2

It seems like a simple option, but according to man it's just not there. You could of course symlink the stuff you want to archive in the location where you'll create the zip file (I assume you can actually cd to that directory). With the proper options, zip will not archive the symlinks themselves but the symlinked files instead, using the names of the symlink.

E.g. create symlinks /tmp/$PID/my pics/pic1.jpg etc, and then zip everything in /tmp/$PID.

Answer 3

I have to slightly question why you are making a potentially dangerous system shell call when there are a number of good PHP zipping classes around. The tutorial here: http://www.granthinkson.com/2005/07/01/create-zip-files-dynamically-using-php/ shows how to easily create a class that will output a zip file to the browser. There is also a number of classes on phpclasses.org, this seems to be the best one: http://www.phpclasses.org/browse/package/2322.html.

If you have to do it with a system call my suggestions are:

To truncate the path for the file you could use symbolic links - See: http://en.wikipedia.org/wiki/Ln_(Unix).

Can you not increase the permissions of the zip executable to mean that apache can use it without using sudo?

Answer 4

A better idea may be to make a shell script, and grant the webserver sudo access to that shell script. This may be more secure, too

#!/bin/bash
#
# Zip up files for a given user
# 
# usage: backupToZipFile.sh <username>

cd home/backups/$1
tar -czf /tmp/$1.tgz .

Also have you considered running sudo as the user you're trying to zip files as, instead of as root? This would be more secure as well.