Page 1 of 1

[SOLVED] - Upload - Failed to open stream:Permission denied

Posted: Sun Jun 27, 2004 8:10 am
by anjanesh
Here is a simple code :

Code: Select all

<FORM ENCTYPE="multipart/form-data" ACTION="upload.php" METHOD=POST>
<TABLE>
<TR>
<TD ALIGN=right>Image: (100KB Limit)</TD>
<TD><INPUT NAME="imgfile" TYPE="file" SIZE=60></TD>
<TD><INPUT TYPE="submit" NAME="subEdit" VALUE="Submit"></TD>
</TR>
</TABLE>
</FORM>

Code: Select all

<?php
 $uploadDir = '';
 $uploadFile = $uploadDir . $_FILES['imgfile']['name'];
 !copy($_FILES['imgfile']['tmp_name'],$uploadFile)
 }
?>
Im getting this error :

Warning: copy(dd.jpg): failed to open stream: Permission denied in /xxxx/upload.php on line xx

print_r($_FILES) gave this
Array ( [imgfile] => Array ( [name] => dd.jpg [type] => image/pjpeg [tmp_name] => /tmp/phpvNVrST [error] => 0 [size] => 19473 ) )
So the error was 0.

I even tried move_uploaded_file() but got the same error.
The server is Apache.
Anyone know whats wrong ? Is it the code or the permission settings ? The code is working on localhost.
Thanks

Posted: Sun Jun 27, 2004 9:13 am
by scorphus
Please show us the output of this code:

Code: Select all

<pre><?php
ini_set('display_errors','1');
error_reporting(E_ALL);
print_r($_FILES); /* special attention to $_FILES['imgfile']['error'] */
if (!$fp = fopen('test.txt', 'w'))
	echo "Error creating file, it seems you don't have write permission.\n";
else {
	echo "test.txt was created, it seems you have write permission.\n";
	fclose($fp);
}
$uploadDir = '';
$uploadFile = $uploadDir . $_FILES['imgfile']['name'];
if (!copy($_FILES['imgfile']['tmp_name'],$uploadFile))
	echo 'failed to copy ' . $_FILES['imgfile']['tmp_name'] . "\n";
?></pre>
Scorphus

Posted: Sun Jun 27, 2004 9:21 am
by anjanesh
I got it to work when I right clicked folder Properties when using ftp and set the Permissions of Owner, Groups & All Users to Read, Write & Execute. And now it worked. But doesn't this mean that anyone can write ? If so its dangerous. So how do I overcome this problem ?

Posted: Sun Jun 27, 2004 9:30 am
by anjanesh
scorphus - The result of your code is :
Array
(
[imgfile] => Array
(
[name] => dd.jpg
[type] => text/plain
[tmp_name] => /tmp/phposlbpQ
[error] => 0
[size] => 119
)
)

Warning: fopen(test.txt): failed to open stream: Permission denied in /home/konkanuae/Konkan/test/scorphus.php on line 5
Error creating file, it seems you don't have write permission.

Warning: copy(dd.jpg): failed to open stream: Permission denied in /home/konkanuae/Konkan/test/scorphus.php on line 13
failed to copy /tmp/phposlbpQ

But when I checked the read,write,execute permissions for all users the result was :
Array
(
[imgfile] => Array
(
[name] => dd.jpg
[type] => text/plain
[tmp_name] => /tmp/phpSGiQAe
[error] => 0
[size] => 119
)
)
test.txt was created, it seems you have write permission.

But is setting the permissions to all users the method to solve the problem ? Isn't this potentially dangerous ?

Posted: Sun Jun 27, 2004 9:37 am
by scorphus
Yes, anyone has write permission to the folder. But this doesn't mean they can delete or change the contents of this folder (assuming they have no write permission to these contents). They can only delete/change their own files/subfolders.

What you could do is implement the access permission with group bits. Deny wrx for all users and add the Apache user (comonly www-data or nobody) to the group of the folder, then control the access with the folder's group.

Hope you got it,
Scorphus.

Posted: Sun Jun 27, 2004 10:49 am
by anjanesh
How do I create a group here ? ftp explorer is not having any option for that ? Do I have to get to direct ftp (command prompt) ?
Also - how does this make it secure ?
What I'm doing is for a admin part who needs to upload stuff. The username & pwd is offcourse thru mysql db but how do I control file access here ?
Thanks

Posted: Sun Jun 27, 2004 11:03 am
by scorphus
Tell me a bit about the server. Is it a server from a contracted Service Provider Company? Is it yours? Is it a public computer (school)?

You must have administration previleges to manage groups on the server. If it is not the case, you can see with the system's administrator this possibility.

But it is not really a security risk, specially if it is a contracted srvice, they have a good security schemes. Also make sure writeable folders are few and hidden (caution with error messages) from the user.

Regards,
Scorphus from Brazil, a great India partner!

Posted: Tue Jun 29, 2004 11:54 am
by anjanesh
The server is from a Web Hosting Co and has (from phpinfo) :

Linux linux5
Apache/1.3.28 (Unix) Resin/2.1.1 mod_ssl/2.8.15 OpenSSL/0.9.7a PHP/4.3.7
User/Group nobody(99)/99

Posted: Tue Jun 29, 2004 12:16 pm
by Joe
I have had similar errors to that and the best way to solve it is to set the directory CHMOD to 777. Im not sure about the security issues raised there but it works for sure!

Posted: Wed Jun 30, 2004 8:40 am
by scorphus
anjanesh wrote:The server is from a Web Hosting Co and has (from phpinfo) :

Linux linux5
Apache/1.3.28 (Unix) Resin/2.1.1 mod_ssl/2.8.15 OpenSSL/0.9.7a PHP/4.3.7
User/Group nobody(99)/99
So you'll have to see with this Web Hosting Co how and if they can manage this situation for you. Maybe they have some group permission scheme involving client's group and the nobody group.

But, as I said, there is no really a security risk, the security role is played by the server administrators, and they should have done it well (ask them too). Keep your writeable folders few and secret (caution with error messages).

Regards,
Scorphus.

[SOLVED]

Posted: Wed Jun 30, 2004 11:10 pm
by anjanesh
Thank guys for the info.
SOLVED