Uploading Files - Setting Directory Permissions

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
webcan
Forum Commoner
Posts: 66
Joined: Tue Oct 28, 2003 2:25 pm
Location: Toronto, Canada

Uploading Files - Setting Directory Permissions

Post by webcan »

Hello everyone:

I've created a little application that lets a user upload a JPG file from their browser.

The application works fine and all, but it will only save the file if the destination directory permission is 777. I'm thinking that this is a potential security problem, other users on the server could discover the directory and make modifications with a script in their account, right?

Can someone give me some insight as to whether this is the correct way to set up file uploading? If not, any suggestions?

Thanks,
Peter.
User avatar
vigge89
Forum Regular
Posts: 875
Joined: Wed Jul 30, 2003 3:29 am
Location: Sweden

Post by vigge89 »

i don't think they can if you only allow imagefiles
User avatar
DuFF
Forum Contributor
Posts: 495
Joined: Tue Jun 24, 2003 7:49 pm
Location: USA

Post by DuFF »

And as long as you don't have any scripts in the upload directory then you can CHMOD it to 666. This gives read/write to everyone but nothing can be executed.

I would advise that you make sure the file is a jpg somewhere in your upload script though.
webcan
Forum Commoner
Posts: 66
Joined: Tue Oct 28, 2003 2:25 pm
Location: Toronto, Canada

Post by webcan »

OK, but I'm saying, let's say the upload directory is /home/myusername/httpdocs/images/upload, and that directory is 666 or 777, and another user executes the command rm /home/myusername/httpdocs/images/upload/somefile.jpg from within THEIR area on the server, wouldn't that result in the deletion of files from that directory?

And therefore, wouldn't another user be able to potentially delete everything from my upload directory?
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

I suspect that php runs under a different UID than your ftp login.

Use mkdir() to create the directory - not your ftp program. If the folder is owned by whatever UID php runs under, you can CHMOD it 755 or whatever.

The dirinfo command in your ftp program will let you view file/folder owners and groups.
Post Reply