Page 1 of 1
Problems Restricting Access Via Chmod
Posted: Tue Aug 09, 2005 8:10 pm
by adam3223
I wanted to change the chmod values of certain image files on my webserver so they cannot be accessed directly.
I was under the impression a local php script could still read them even thought they are blocked from the outside world.
Is this true as i can't get it working??
N.B using this to load image:
Code: Select all
<?php
Header("Content-type: image/jpg");
$image = imagecreatefromjpeg('pictures/1st social/social 001.jpg');
imagejpeg ($image);
imagedestroy ($image);
?>
Thanks in Advance
Posted: Tue Aug 09, 2005 8:18 pm
by feyd
if set properly, it should be readable.. You could potentially (if your host allows) to place the images outside your webroot, making it impossible to gain "direct" access to them through the website.
Posted: Wed Aug 10, 2005 10:00 am
by pickle
Whether or not a local PHP script can read the file depends on the permissions of the file.
In Linux, the permissions are Owner execute/read/write, Group execute/read/write, World execute/read/write. If you change the mode so that only the owner can read, and PHP isn't running as that user, then it won't be able to read the file.
What are the permissions on the file before and after you chmod it?
Posted: Wed Aug 10, 2005 10:11 am
by adam3223
I could put them outside my webroot but i would like to know what i'm doing wrong.
I change the cmod value so Everyone Cannot Read and leave the others the same. (chmod value 640)
Also the folders above it are set to 711 to stop indexing and general access.
Edit defaults of files is 644, it is a linux server
Posted: Wed Aug 10, 2005 12:19 pm
by pickle
I just realized that there's no way (using just permissions), to restrict public access to images and still have the files accessible via php (unless you're running a CLI script). PHP will access the files as the apache user. A user typing in the address of the file directly will also access the files as the apache user.
The only way to restrict access is to move the files outside the web root.
Posted: Wed Aug 10, 2005 1:29 pm
by timvw
Use .htaccess:
- It can be in a public webdir
- Apache/php can read it, people can't request it via http
Shared hosting:
- Make all the users their group 'users'
- Run apache as something that is in a 'services' group.
Now you can easily create userdirectories that are owned by user:services
User should get rwx and services only need x
The webdir etc in the userdirectories will be owned by user:users, so you need to give access to others (notice that only users from the services group can get here, so that's ok

)
With mod_safe enabled you should be able to keep foreigners out your files
