Page 1 of 1

Uploading Files - Setting Directory Permissions

Posted: Sun Dec 07, 2003 11:11 am
by webcan
Hello everyone:

I've created a little application that lets a user upload a JPG file from their browser.

The application works fine and all, but it will only save the file if the destination directory permission is 777. I'm thinking that this is a potential security problem, other users on the server could discover the directory and make modifications with a script in their account, right?

Can someone give me some insight as to whether this is the correct way to set up file uploading? If not, any suggestions?

Thanks,
Peter.

Posted: Sun Dec 07, 2003 11:32 am
by vigge89
i don't think they can if you only allow imagefiles

Posted: Sun Dec 07, 2003 5:28 pm
by DuFF
And as long as you don't have any scripts in the upload directory then you can CHMOD it to 666. This gives read/write to everyone but nothing can be executed.

I would advise that you make sure the file is a jpg somewhere in your upload script though.

Posted: Sun Dec 07, 2003 6:29 pm
by webcan
OK, but I'm saying, let's say the upload directory is /home/myusername/httpdocs/images/upload, and that directory is 666 or 777, and another user executes the command rm /home/myusername/httpdocs/images/upload/somefile.jpg from within THEIR area on the server, wouldn't that result in the deletion of files from that directory?

And therefore, wouldn't another user be able to potentially delete everything from my upload directory?

Posted: Sun Dec 07, 2003 6:33 pm
by McGruff
I suspect that php runs under a different UID than your ftp login.

Use mkdir() to create the directory - not your ftp program. If the folder is owned by whatever UID php runs under, you can CHMOD it 755 or whatever.

The dirinfo command in your ftp program will let you view file/folder owners and groups.