Help with folders, uploads, in safe mode

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
twn0001
Forum Newbie
Posts: 3
Joined: Sun Jul 29, 2007 2:24 pm

Help with folders, uploads, in safe mode

Post by twn0001 »

I'm having issues with creating folders and uploading files to them in PHP safe mode.

If I log into my server using an FTP program, and create a folder with permissions 0777, the folders are given owner "USER" (don't know the UID), and I am freely able to use PHP scripts to successfully move_uploaded_file() and unlink() files in the folder.

However, I now want PHP to be able to create folders on the fly. So, I mkdir() and then chmod() the folders to 0777. This works. But I've noticed that the folders are given owner "apache" (UID 50), and when I try to move_uploaded_file() and unlink() files in the folder, I get the error
SAFE MODE Restriction in effect. The script whose uid is 500 is not allowed to access *FOLDER PATH* owned by uid 50
I've tried chown("FOLDER", "USER"), since the folders created by USER via FTP work just fine, but that returns the error that it can't find the UID for "USER". I've tried chown("FOLDER", 500), but that returns the error "chown(): Operation not permitted".

This seems a little silly that PHP can write to folders I create in an FTP program, but not folders it creates itself. Is there a way to work around this on the code level, or do I need to contact my server? If I need to contact my server, what should I ask them to do, specifically? Do they need to change "apache"'s UID, or PHP's UID, or USER's UID, or what?
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

PHP typically (unfortunately - it's a bad choice) runs as user Apache. Nothing you can do about that except:

1) Ask your host to change their system setup - not very likely.
2) Ask to disable SAFEMODE. If you threaten to leave they will likely disable it. I work in tech support and handle questions like this all day and most clients are able to convince their hosts to disable it.
3) Re-write your software to use FTP instead of local file operations.

Cheers :)
twn0001
Forum Newbie
Posts: 3
Joined: Sun Jul 29, 2007 2:24 pm

Post by twn0001 »

Thanks for your quick reply.

If PHP is running as user "Apache," then shouldn't it be creating folders as user "Apache" and also accessing them as user "Apache?"

From the script errors I'm receiving, it seems like PHP is operating under two different users--Apache (uid 50) when it creates folders, and then ??? (uid 500) when it's trying to move files into the folders. Is that normal behavior?

My experience is only with coding--not with networking--so could you please try to explain to me why PHP can access folders that I create via FTP (user: USER), but why it cannot access folders that it creates itself using "apache" (uid 50)? And when PHP fails to access a file, it always says "the script whose uid is 500...", so why is the script with UID 500 creating a folder using UID 50?

If I do ask my server to remove safe mode, what risks would it pose to our website security? I know we are a shared server (our absolute path is (/home/site1/vars/html/), so there is more than 1 website on our server. Would it be possible for others on our server, or even on a remote server to mess with our files without safe mode?

Thank you very much for your help!
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

twn0001 wrote:If I do ask my server to remove safe mode, what risks would it pose to our website security? I know we are a shared server (our absolute path is (/home/site1/vars/html/), so there is more than 1 website on our server. Would it be possible for others on our server, or even on a remote server to mess with our files without safe mode?
Safe mode gives a false sense of security. It will be removed in PHP6.
twn0001
Forum Newbie
Posts: 3
Joined: Sun Jul 29, 2007 2:24 pm

Post by twn0001 »

Hockey--

Re-writing to use FTP wrappers instead of local file operators absolutely worked! And the performance hit isn't really that noticeable at all. So thanks for the help!
User avatar
nathanr
Forum Contributor
Posts: 200
Joined: Wed Jun 07, 2006 5:46 pm

Post by nathanr »

try this:

Code: Select all

<?php
mkdir('testdir', 0766);
?>
save it in the web root and execute it..

[explains: weirdly I've found on some boxes, that it doesn't matter how you change the permissions on any premade directory apache just won't allow you to mkdir a subdir inside the premade folder, however fi you make it in the webroot, it should work]

then simply do the same to make folders you need, ensuring that php/apache created the main folder inside the web root (public_html/upload] or whatever

additionally perhaps a chown to user nobody and group nobody might help..?
Post Reply