File uploads... Unix permissions.

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
bokehman
Forum Regular
Posts: 509
Joined: Wed May 11, 2005 2:33 am
Location: Alicante (Spain)

File uploads... Unix permissions.

Post by bokehman »

On a Unix box, in order to upload files to a certain directory it must have at least 707 permissions. In that state what stops other parties that share the server writing to that directory? The server is not running any open_base_directory restrictions (according to phpinfo).
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Generally, nothing stops them. In shared hosts, I prefer to use a backend FTP upload if their security is of concern.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

I replied to your thread on Sitepoint but basically if the host uses suexec then you don't need the permissions you mentioned since only *you* need write access. If not then you're stuck with simple file uploads. I guess FTP'ing to localhost with your username and password, as per feyd's suggestion wouldn't add a huge amount of overhead though... file uploads aren't exactly fast in any case since most of the time will be TCP traffic.
User avatar
bokehman
Forum Regular
Posts: 509
Joined: Wed May 11, 2005 2:33 am
Location: Alicante (Spain)

Post by bokehman »

ftp_connect() is not enabled on this server but it was a nice idea. Can you expand on the suexec a bit, I'm not familiar with it.
User avatar
bokehman
Forum Regular
Posts: 509
Joined: Wed May 11, 2005 2:33 am
Location: Alicante (Spain)

Post by bokehman »

By the way if php creates the file it belongs to "nobody".
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

bokehman wrote:ftp_connect() is not enabled on this server but it was a nice idea. Can you expand on the suexec a bit, I'm not familiar with it.
Web hosts have the ability to run PHP either as a module under apache, or using CGI.

Using the module means that PHP will use the userid of apache and that's that.

Uisng CGI calls the interpreter outside of apache itself so it can be run under a different userid. suexec is an apache module which allows you to change the userid in this way so combine it with the CGI and you're able to affect the PHP userid.

Now, the great thing about apache is that you can change it's settings on a per-directory basis. So for each person's home directory on the server PHP can be run under a different userid. It makes sense to get PHP running under the userid of the account holder. Many hosts do this.

Of course, if everybody on the server is running PHP as themselves it's alot easier to restrict access to your files from other users because you can just set the permissions to yourself and nobody else.

Like I say, the quickest way to figure it out would be to create a file using PHP and then use FTP to view the ownership details on the file ;)
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

bokehman wrote:By the way if php creates the file it belongs to "nobody".
That sucks :twisted: In that case anybody else running a PHP script has access to your files I bet. I'd suggest testing it on someone else's account but I can't give you instructions because it's not allowed.
User avatar
bokehman
Forum Regular
Posts: 509
Joined: Wed May 11, 2005 2:33 am
Location: Alicante (Spain)

Post by bokehman »

Well, it doesn't seem too secure. I have a recursive directory read function and set it to start at ../ and it can read everything. File content is readable too... things like this...

$dbhost = 'www.*****.com';
$dbname = '*****_db';
$dbuser = '*****';
$dbpasswd = '*****';

I wasn't really too happy about the server when I took the job on. I've been on to the client and told them it's not secure but they say they don't want to change "because they are nice people and just down the road".
Post Reply