understanding php permissions (and servers/OS's)

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

jxn
Forum Newbie
Posts: 22
Joined: Wed Jul 13, 2005 4:33 pm

understanding php permissions (and servers/OS's)

Post by jxn »

Howdy,
I've written a modest php app that handles uploads or scanned files, renaming them based on user input and metadata, and occasionally deleting and moving them to keep the folders organized in a logical way, and I've got a few questions about worries I've had with php handling them.
First off, these files are all pretty important and I want to protect them... not necessarily accidental deletion by my app, which seems to be doing its job well, but from people wandering the folder of files and deleting them. Right now, my app edits/moves/etc. files from a non-web-accessible share /var/files. The problem is, I've had to chmod EVERYTHING 0777 (I think I could maybe do only 0777 for dirs and 0666 for files, though) to let php do its thing. Is there another way to accomplish this? Is it possible to add, for instance, php or apache to the chown group, and then chmod to 0764? If such a thing is possible, I'm not sure how I would add php/apache to the chown group on a windows machine (to which I have no access at the moment), in the event I wish to use windows, too.

Any help/information/clarification would be much appreciated.

Thank you.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Only the user that does the php script (typically www-data or nobody) needs rights... Basically: only user, group or others need specific rights... (And certainly not all of the three groups)... Thus in a 'only rights that are absolutely needed scenario' you would have at least two 0's in the value...
jxn
Forum Newbie
Posts: 22
Joined: Wed Jul 13, 2005 4:33 pm

Post by jxn »

I'm such a fool!

For some reason I was thinking (maybe because my uploads are assigned to chown "nobody") that php did everything as world, and I never bothered to try setting things otherwise!

Thanks, I'll try that. Also, are there any major file-safety/security concerns with having php alter files in a separate /var/files directory if it is not web-accessible?
bg
Forum Contributor
Posts: 157
Joined: Fri Sep 12, 2003 11:01 am

Post by bg »

PHP has the same permissions, name and group as the webserver. The web user generally runs under user "www". Basically what you want to do is make these files writeable by the user www. You use chown to do this.

Code: Select all

chown -R www ./image_directory
Then you want to give read/write/execute permission to just the file owner (which we specified with chown) user and read access to everybody else. You do this with the chmod command.

Code: Select all

chmod -R go=r
This sets the groups and Other users permissions to read only. Now nobody but the webserver (and php) can tinker with your files. Here's a chmod tutorial : http://www.catcode.com/teachmod/index.html
jxn
Forum Newbie
Posts: 22
Joined: Wed Jul 13, 2005 4:33 pm

Post by jxn »

Thanks for the help; I'm already pretty familiar with chmod (been using it daily for 6+ years now), but I didn't know anything about how the server handles such things. It seems now that I figured out my server user and group are called "apache" things are working much better.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

If I may I would like to hook up on this question. I understand the basics of users, group and world and permissions.

All fine in theory but I have come across so many (shared) hosts on which often scripts have to be set to 0777 to function. At the same time, sometimes scripts will create directories or files, which I then cannot access, edit or delete myself (with FTP for example). Very annoying.

So can anyone explain why that happens? Which (apache) setting may cause this?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

I don't have any experience with webhosts that really require rwx for user, group and others at the same time...

I do have seen INSTALL.TXT files saying that it's required, but that's just bollocks (in my experience) ;)
bg
Forum Contributor
Posts: 157
Joined: Fri Sep 12, 2003 11:01 am

Post by bg »

matthijs wrote:If I may I would like to hook up on this question. I understand the basics of users, group and world and permissions.

All fine in theory but I have come across so many (shared) hosts on which often scripts have to be set to 0777 to function. At the same time, sometimes scripts will create directories or files, which I then cannot access, edit or delete myself (with FTP for example). Very annoying.

So can anyone explain why that happens? Which (apache) setting may cause this?
It's probably an execute bit that needs to be set, and chmod 777 obviously makes the file executable by anybody.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

Well, the strange thing is that if you install exactly the same script on different hosts, sometimes different permissions are needed. So it is something in the way apache handles the settings. Like apache sees every script as owned by "world" and therefore they need 777. On other hosts its 755. But why is it that sometimes a directory made by a script is inaccessible with my FTP client or control panel? Or is it because apache has created the directory, not the script? (and set the permissions too strict)
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

A lot of this depends on the server and setup of the server. Hosts set up accounts differently and this can affect your code dramatically.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

Yes, it seems like it. Maybe it is finally time for some (virtual) dedicated hosting..
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

I do admit that at first it might look a bit confusing.. Eg:

- Overhere homedirectories are created with (username : services)
timvw@madoka:~$ ls -la ~
total 144
drwx--x--- 14 timvw services 4096 Aug 27 12:40 .
- Apache runs as nobody : nobody and is a member of the services group (users are not part of that group).

Thus when i give rights to access my homedir to group i know that i only give services rights to access it.. Since other users are not in the services group, they have to stay out ;))

- My pubwww directory is owned by timvw : users
timvw@madoka:~$ ls -la src/timvw.madoka.be/
total 20
drwx-----x 3 timvw users 4096 Jun 16 01:05 .
In order to give apache rights to the file i have to give others read rights (since apache is not in the users group).
bg
Forum Contributor
Posts: 157
Joined: Fri Sep 12, 2003 11:01 am

Post by bg »

matthijs wrote:Well, the strange thing is that if you install exactly the same script on different hosts, sometimes different permissions are needed. So it is something in the way apache handles the settings. Like apache sees every script as owned by "world" and therefore they need 777. On other hosts its 755. But why is it that sometimes a directory made by a script is inaccessible with my FTP client or control panel? Or is it because apache has created the directory, not the script? (and set the permissions too strict)
Different distros and systems use different user and group schemes. Personally, I use FreeBSD which has apache running as user www. As someone mentioned, some hosts/distros have apache running under the user nobody.

If apache has write permissions to a directory, any file it creates is gonna be owned by apache's user and group. When you try to modify these files through ftp, you are accessing them with your personal users permission, which often times means you won't have read/write access. One way to get around this is to chown them to be owned by you, but in the www group.

Code: Select all

chown -R username:www ./the_directory
. Then give write and execute permissions to both owner and group and just read permission to others. This will allow your scripts to run correctly and for you to modify these scripts through ftp.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

bg wrote:One way to get around this is to chown them to be owned by you, but in the www group.
Code:

Code: Select all

chown -R username:www ./the_directory
. Then give write and execute permissions to both owner and group and just read permission to others. This will allow your scripts to run correctly and for you to modify these scripts through ftp.
Thanks. I'll remember this for when I have command line access to my host accounts. At the moment it's FTP-only, unfortunately. It's really a pita to not be able to set the permissions I would like.
(So if anyone knows a good host...)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Many ftp clients support chmod as do many servers. It may be possible to run the changes via your particular combination.
Post Reply