understanding php permissions (and servers/OS's)
Moderator: General Moderators
understanding php permissions (and servers/OS's)
Howdy,
I've written a modest php app that handles uploads or scanned files, renaming them based on user input and metadata, and occasionally deleting and moving them to keep the folders organized in a logical way, and I've got a few questions about worries I've had with php handling them.
First off, these files are all pretty important and I want to protect them... not necessarily accidental deletion by my app, which seems to be doing its job well, but from people wandering the folder of files and deleting them. Right now, my app edits/moves/etc. files from a non-web-accessible share /var/files. The problem is, I've had to chmod EVERYTHING 0777 (I think I could maybe do only 0777 for dirs and 0666 for files, though) to let php do its thing. Is there another way to accomplish this? Is it possible to add, for instance, php or apache to the chown group, and then chmod to 0764? If such a thing is possible, I'm not sure how I would add php/apache to the chown group on a windows machine (to which I have no access at the moment), in the event I wish to use windows, too.
Any help/information/clarification would be much appreciated.
Thank you.
I've written a modest php app that handles uploads or scanned files, renaming them based on user input and metadata, and occasionally deleting and moving them to keep the folders organized in a logical way, and I've got a few questions about worries I've had with php handling them.
First off, these files are all pretty important and I want to protect them... not necessarily accidental deletion by my app, which seems to be doing its job well, but from people wandering the folder of files and deleting them. Right now, my app edits/moves/etc. files from a non-web-accessible share /var/files. The problem is, I've had to chmod EVERYTHING 0777 (I think I could maybe do only 0777 for dirs and 0666 for files, though) to let php do its thing. Is there another way to accomplish this? Is it possible to add, for instance, php or apache to the chown group, and then chmod to 0764? If such a thing is possible, I'm not sure how I would add php/apache to the chown group on a windows machine (to which I have no access at the moment), in the event I wish to use windows, too.
Any help/information/clarification would be much appreciated.
Thank you.
Only the user that does the php script (typically www-data or nobody) needs rights... Basically: only user, group or others need specific rights... (And certainly not all of the three groups)... Thus in a 'only rights that are absolutely needed scenario' you would have at least two 0's in the value...
I'm such a fool!
For some reason I was thinking (maybe because my uploads are assigned to chown "nobody") that php did everything as world, and I never bothered to try setting things otherwise!
Thanks, I'll try that. Also, are there any major file-safety/security concerns with having php alter files in a separate /var/files directory if it is not web-accessible?
For some reason I was thinking (maybe because my uploads are assigned to chown "nobody") that php did everything as world, and I never bothered to try setting things otherwise!
Thanks, I'll try that. Also, are there any major file-safety/security concerns with having php alter files in a separate /var/files directory if it is not web-accessible?
PHP has the same permissions, name and group as the webserver. The web user generally runs under user "www". Basically what you want to do is make these files writeable by the user www. You use chown to do this.
Then you want to give read/write/execute permission to just the file owner (which we specified with chown) user and read access to everybody else. You do this with the chmod command.
This sets the groups and Other users permissions to read only. Now nobody but the webserver (and php) can tinker with your files. Here's a chmod tutorial : http://www.catcode.com/teachmod/index.html
Code: Select all
chown -R www ./image_directoryCode: Select all
chmod -R go=rIf I may I would like to hook up on this question. I understand the basics of users, group and world and permissions.
All fine in theory but I have come across so many (shared) hosts on which often scripts have to be set to 0777 to function. At the same time, sometimes scripts will create directories or files, which I then cannot access, edit or delete myself (with FTP for example). Very annoying.
So can anyone explain why that happens? Which (apache) setting may cause this?
All fine in theory but I have come across so many (shared) hosts on which often scripts have to be set to 0777 to function. At the same time, sometimes scripts will create directories or files, which I then cannot access, edit or delete myself (with FTP for example). Very annoying.
So can anyone explain why that happens? Which (apache) setting may cause this?
It's probably an execute bit that needs to be set, and chmod 777 obviously makes the file executable by anybody.matthijs wrote:If I may I would like to hook up on this question. I understand the basics of users, group and world and permissions.
All fine in theory but I have come across so many (shared) hosts on which often scripts have to be set to 0777 to function. At the same time, sometimes scripts will create directories or files, which I then cannot access, edit or delete myself (with FTP for example). Very annoying.
So can anyone explain why that happens? Which (apache) setting may cause this?
Well, the strange thing is that if you install exactly the same script on different hosts, sometimes different permissions are needed. So it is something in the way apache handles the settings. Like apache sees every script as owned by "world" and therefore they need 777. On other hosts its 755. But why is it that sometimes a directory made by a script is inaccessible with my FTP client or control panel? Or is it because apache has created the directory, not the script? (and set the permissions too strict)
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
I do admit that at first it might look a bit confusing.. Eg:
- Overhere homedirectories are created with (username : services)
Thus when i give rights to access my homedir to group i know that i only give services rights to access it.. Since other users are not in the services group, they have to stay out
)
- My pubwww directory is owned by timvw : users
- Overhere homedirectories are created with (username : services)
- Apache runs as nobody : nobody and is a member of the services group (users are not part of that group).timvw@madoka:~$ ls -la ~
total 144
drwx--x--- 14 timvw services 4096 Aug 27 12:40 .
Thus when i give rights to access my homedir to group i know that i only give services rights to access it.. Since other users are not in the services group, they have to stay out
- My pubwww directory is owned by timvw : users
In order to give apache rights to the file i have to give others read rights (since apache is not in the users group).timvw@madoka:~$ ls -la src/timvw.madoka.be/
total 20
drwx-----x 3 timvw users 4096 Jun 16 01:05 .
Different distros and systems use different user and group schemes. Personally, I use FreeBSD which has apache running as user www. As someone mentioned, some hosts/distros have apache running under the user nobody.matthijs wrote:Well, the strange thing is that if you install exactly the same script on different hosts, sometimes different permissions are needed. So it is something in the way apache handles the settings. Like apache sees every script as owned by "world" and therefore they need 777. On other hosts its 755. But why is it that sometimes a directory made by a script is inaccessible with my FTP client or control panel? Or is it because apache has created the directory, not the script? (and set the permissions too strict)
If apache has write permissions to a directory, any file it creates is gonna be owned by apache's user and group. When you try to modify these files through ftp, you are accessing them with your personal users permission, which often times means you won't have read/write access. One way to get around this is to chown them to be owned by you, but in the www group.
Code: Select all
chown -R username:www ./the_directoryThanks. I'll remember this for when I have command line access to my host accounts. At the moment it's FTP-only, unfortunately. It's really a pita to not be able to set the permissions I would like.bg wrote:One way to get around this is to chown them to be owned by you, but in the www group.
Code:. Then give write and execute permissions to both owner and group and just read permission to others. This will allow your scripts to run correctly and for you to modify these scripts through ftp.Code: Select all
chown -R username:www ./the_directory
(So if anyone knows a good host...)