mkdir function file permissions

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

nmpach
Forum Newbie
Posts: 4
Joined: Mon Dec 22, 2008 12:37 pm

mkdir function file permissions

Post by nmpach »

For every user that registers at my site, I have my server create a new directory that is named after the new user's chosen username. Once created, I create various pages in that directory such as 'profile.php' to display user info., etc. The problem is that this entire process has to be done from within my registration script and the mkdir() function won't allow me to create a with file permissions a=rwx (777). I realize the default file permission when none is specified is 777 ('0777' when specified as a parameter), but it keeps giving me: 'drwxr-xr-x'. Even when I do specify 0777, it still leaves out write permissions for the user and other groups. This is a problem because afterwards I can't write a file to this directory from within a script. I don't know why this is happening, however I did notice something interesting . . . My server runs apache and when I create a new directory/file from within a php script the creator is not 'nick' (my admin name) as files usually are, but instead '_www'. All help appreciated,

nmpach
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: mkdir function file permissions

Post by jaoudestudios »

When php/apache creates a file/folder on the *nix (most probably linux) the file/folder is usually owned by apache or nobody, depending on the server setup. This user usually never has permission to change the permissions to 777 (dont know why you would want 777 - but that is another story).

Why not just have 1 profile.php file that is fully dynamic so that it adjusts itself to suit the user - they do not need a file each! Imagine you want to change something in the future...what a nightmare!!!
nmpach
Forum Newbie
Posts: 4
Joined: Mon Dec 22, 2008 12:37 pm

Re: mkdir function file permissions

Post by nmpach »

Why not just have 1 profile.php file that is fully dynamic so that it adjusts itself to suit the user - they do not need a file each!
I had it set up this way for two years when I was using a free hosting site. However, now I've just bought myself (I went type 'mysql' three times before I got my fingers to type 'myself' instead here) a brand new, half-terabyte hard drive! Is that not exciting? And I'm dedicating the entire thing to daily server backups, etc. So why not create a directory for every user and use up some space? Besides, my site gets approx~2 accidental hits a year not counting my own when I'm developing so it's likely that not that many people will even register. Moving on . . .
(dont know why you would want 777 - but that is another story)
It appears that I need to allow the 'group' permissions write access in order to create a file/directory that I can edit from within another script (via php - fopen()). When I created the directory with mkdir() from within the php registration script, it wouldn't allow me to write a file to that directory from within a php script. However, when I manually modified the permissions of the directory to allow the 'user' and 'other' groups write access, it then allowed php to create files in the directory . . . Is there some way I could perhaps make the fopen() a root command and give it my password so the server thinks it's the 'admin' group doing the file creating. I know it allowed me to do this manually. I was using ssh and I just said 'sudo nano ./(php-created-dir-name)/(made-up-file-name).php' , supplied my password and it allowed it, so it's for sure allowing admin/root access; I just need to know if there is a way - from within php - that I can tell the server that the fopen() call is legit (issued by root). Is there some way to do this? Again, help appreciated,

nmpach
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: mkdir function file permissions

Post by kaisellgren »

jaoudestudios wrote:When php/apache creates a file/folder on the *nix (most probably linux) the file/folder is usually owned by apache or nobody, depending on the server setup. This user usually never has permission to change the permissions to 777 (dont know why you would want 777 - but that is another story).

Why not just have 1 profile.php file that is fully dynamic so that it adjusts itself to suit the user - they do not need a file each! Imagine you want to change something in the future...what a nightmare!!!
Let me add my 2 cents.

Mkdir()'ed directories are 0755 by default and yes you can not chmod() them to 0777 like jaoudestudios said.
nmpach
Forum Newbie
Posts: 4
Joined: Mon Dec 22, 2008 12:37 pm

Re: mkdir function file permissions

Post by nmpach »

Mkdir()'ed directories are 0755 by default
From my experience it would appear so, however php affirms that that is not so, just as I said.
The mode is 0777 by default, which means the widest possible access.
That is taken directly off php.net. Still appreciating help from anybody else with authoritative information,

brodeur235
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: mkdir function file permissions

Post by jaoudestudios »

For GROUP to have write all you need is 775. You could make it sticky so that new directories inherit the permissions. Definitely would advise against 777!

What about php safe mode? Is it on or off?
nmpach
Forum Newbie
Posts: 4
Joined: Mon Dec 22, 2008 12:37 pm

Re: mkdir function file permissions

Post by nmpach »

Definitely would advise against 777!
If there is a better (safer) way to do what I'm trying to do then I'm definitely open to suggestions. The discussed method was t be just the only one that seemed obvious. Maybe there's some way I can up the permissions of the '_www' apache user?

According to my phpinfo(), safe mode is off both on the local and master settings.

nmpach
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: mkdir function file permissions

Post by kaisellgren »

nmpach wrote:
Mkdir()'ed directories are 0755 by default
From my experience it would appear so, however php affirms that that is not so, just as I said.
The mode is 0777 by default, which means the widest possible access.
That is taken directly off php.net. Still appreciating help from anybody else with authoritative information,

brodeur235
Hmm..

I tried 4 free shared hosts, 2 paid shared hosts, one VPS and one dedicated server. On each server the default permission level was 0755 for directories created by PHP's mkdir(). Safe mode was off and my dedi was using php-recommended.ini while VPS used my custom ini.
User avatar
Syntac
Forum Contributor
Posts: 327
Joined: Sun Sep 14, 2008 7:59 pm

Re: mkdir function file permissions

Post by Syntac »

jaoudestudios wrote:Definitely would advise against 777!
Fretting about 0777 permissions is one of the silliest things I've ever seen. :) Someone can only mess with your files if they have FTP or shell access, in which case you're screwed anyway.
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: mkdir function file permissions

Post by jaoudestudios »

Syntac wrote:
jaoudestudios wrote:Definitely would advise against 777!
Fretting about 0777 permissions is one of the silliest things I've ever seen. :) Someone can only mess with your files if they have FTP or shell access, in which case you're screwed anyway.
Is that true??? I thought there were other ways. i.e. 777 was wide open!?!?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: mkdir function file permissions

Post by VladSun »

Syntac wrote:
jaoudestudios wrote:Definitely would advise against 777!
Fretting about 0777 permissions is one of the silliest things I've ever seen. :) Someone can only mess with your files if they have FTP or shell access, in which case you're screwed anyway.
It's not true.

Linux is a multiuser OS, so permitions are important. If it was so - give me a unprivileged shell account to your server and change the permissions of /etc/ld.preload to 777 ;)
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: mkdir function file permissions

Post by jaoudestudios »

But you would still have to have an account on the system to do anything to a 777 folder?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: mkdir function file permissions

Post by kaisellgren »

If a .php file is 0640 and a hacker has succeeded in uploading an .exe file to the server and has launched it, the .exe file won't be able to read the 0640 .php file. Or I am missing something?

If a .php file is 0666 (no execution, but reads & writes), then the hacker can't even run the .php file even if he runs something like /var/bin/php -f /var/www/public_html/dangerous_file_to_be_executed.php

The .php file won't be executed by PHP processor, because it has no executive permissions.

To sum up, file permissions are important.

PHP files (or other files) should not have executive permissions in general. Permission of 0644 (0640 is even better) is highly recommended.

File permission of 0400 is also possible to have. I'm using it in several files on my servers. If you know what you are doing, you can set files to 0400 ;)
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: mkdir function file permissions

Post by VladSun »

jaoudestudios wrote:But you would still have to have an account on the system to do anything to a 777 folder?
Not really... as kaisellgren pointed, one will need just some kind of exploit. Executing shell commands under Apache user rights is the most often seen result from these exploits. Now ... give me 0777 /et/ld.preload and an exploit like these will have ROOT permissions ;)
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: mkdir function file permissions

Post by jaoudestudios »

I think .exe is misleading, we're talking about linux here not windows :lol: (we all know windows sucks :wink: )
Post Reply