Page 1 of 2

understanding php permissions (and servers/OS's)

Posted: Sat Aug 26, 2006 12:45 pm
by jxn
Howdy,
I've written a modest php app that handles uploads or scanned files, renaming them based on user input and metadata, and occasionally deleting and moving them to keep the folders organized in a logical way, and I've got a few questions about worries I've had with php handling them.
First off, these files are all pretty important and I want to protect them... not necessarily accidental deletion by my app, which seems to be doing its job well, but from people wandering the folder of files and deleting them. Right now, my app edits/moves/etc. files from a non-web-accessible share /var/files. The problem is, I've had to chmod EVERYTHING 0777 (I think I could maybe do only 0777 for dirs and 0666 for files, though) to let php do its thing. Is there another way to accomplish this? Is it possible to add, for instance, php or apache to the chown group, and then chmod to 0764? If such a thing is possible, I'm not sure how I would add php/apache to the chown group on a windows machine (to which I have no access at the moment), in the event I wish to use windows, too.

Any help/information/clarification would be much appreciated.

Thank you.

Posted: Sat Aug 26, 2006 1:00 pm
by timvw
Only the user that does the php script (typically www-data or nobody) needs rights... Basically: only user, group or others need specific rights... (And certainly not all of the three groups)... Thus in a 'only rights that are absolutely needed scenario' you would have at least two 0's in the value...

Posted: Sat Aug 26, 2006 1:28 pm
by jxn
I'm such a fool!

For some reason I was thinking (maybe because my uploads are assigned to chown "nobody") that php did everything as world, and I never bothered to try setting things otherwise!

Thanks, I'll try that. Also, are there any major file-safety/security concerns with having php alter files in a separate /var/files directory if it is not web-accessible?

Posted: Sat Aug 26, 2006 1:36 pm
by bg
PHP has the same permissions, name and group as the webserver. The web user generally runs under user "www". Basically what you want to do is make these files writeable by the user www. You use chown to do this.

Code: Select all

chown -R www ./image_directory
Then you want to give read/write/execute permission to just the file owner (which we specified with chown) user and read access to everybody else. You do this with the chmod command.

Code: Select all

chmod -R go=r
This sets the groups and Other users permissions to read only. Now nobody but the webserver (and php) can tinker with your files. Here's a chmod tutorial : http://www.catcode.com/teachmod/index.html

Posted: Sat Aug 26, 2006 2:32 pm
by jxn
Thanks for the help; I'm already pretty familiar with chmod (been using it daily for 6+ years now), but I didn't know anything about how the server handles such things. It seems now that I figured out my server user and group are called "apache" things are working much better.

Posted: Sat Aug 26, 2006 4:24 pm
by matthijs
If I may I would like to hook up on this question. I understand the basics of users, group and world and permissions.

All fine in theory but I have come across so many (shared) hosts on which often scripts have to be set to 0777 to function. At the same time, sometimes scripts will create directories or files, which I then cannot access, edit or delete myself (with FTP for example). Very annoying.

So can anyone explain why that happens? Which (apache) setting may cause this?

Posted: Sat Aug 26, 2006 4:43 pm
by timvw
I don't have any experience with webhosts that really require rwx for user, group and others at the same time...

I do have seen INSTALL.TXT files saying that it's required, but that's just bollocks (in my experience) ;)

Posted: Sat Aug 26, 2006 8:40 pm
by bg
matthijs wrote:If I may I would like to hook up on this question. I understand the basics of users, group and world and permissions.

All fine in theory but I have come across so many (shared) hosts on which often scripts have to be set to 0777 to function. At the same time, sometimes scripts will create directories or files, which I then cannot access, edit or delete myself (with FTP for example). Very annoying.

So can anyone explain why that happens? Which (apache) setting may cause this?
It's probably an execute bit that needs to be set, and chmod 777 obviously makes the file executable by anybody.

Posted: Sun Aug 27, 2006 2:13 am
by matthijs
Well, the strange thing is that if you install exactly the same script on different hosts, sometimes different permissions are needed. So it is something in the way apache handles the settings. Like apache sees every script as owned by "world" and therefore they need 777. On other hosts its 755. But why is it that sometimes a directory made by a script is inaccessible with my FTP client or control panel? Or is it because apache has created the directory, not the script? (and set the permissions too strict)

Posted: Sun Aug 27, 2006 3:34 am
by RobertGonzalez
A lot of this depends on the server and setup of the server. Hosts set up accounts differently and this can affect your code dramatically.

Posted: Sun Aug 27, 2006 4:42 am
by matthijs
Yes, it seems like it. Maybe it is finally time for some (virtual) dedicated hosting..

Posted: Sun Aug 27, 2006 6:14 am
by timvw
I do admit that at first it might look a bit confusing.. Eg:

- Overhere homedirectories are created with (username : services)
timvw@madoka:~$ ls -la ~
total 144
drwx--x--- 14 timvw services 4096 Aug 27 12:40 .
- Apache runs as nobody : nobody and is a member of the services group (users are not part of that group).

Thus when i give rights to access my homedir to group i know that i only give services rights to access it.. Since other users are not in the services group, they have to stay out ;))

- My pubwww directory is owned by timvw : users
timvw@madoka:~$ ls -la src/timvw.madoka.be/
total 20
drwx-----x 3 timvw users 4096 Jun 16 01:05 .
In order to give apache rights to the file i have to give others read rights (since apache is not in the users group).

Posted: Sun Aug 27, 2006 10:04 am
by bg
matthijs wrote:Well, the strange thing is that if you install exactly the same script on different hosts, sometimes different permissions are needed. So it is something in the way apache handles the settings. Like apache sees every script as owned by "world" and therefore they need 777. On other hosts its 755. But why is it that sometimes a directory made by a script is inaccessible with my FTP client or control panel? Or is it because apache has created the directory, not the script? (and set the permissions too strict)
Different distros and systems use different user and group schemes. Personally, I use FreeBSD which has apache running as user www. As someone mentioned, some hosts/distros have apache running under the user nobody.

If apache has write permissions to a directory, any file it creates is gonna be owned by apache's user and group. When you try to modify these files through ftp, you are accessing them with your personal users permission, which often times means you won't have read/write access. One way to get around this is to chown them to be owned by you, but in the www group.

Code: Select all

chown -R username:www ./the_directory
. Then give write and execute permissions to both owner and group and just read permission to others. This will allow your scripts to run correctly and for you to modify these scripts through ftp.

Posted: Sun Aug 27, 2006 10:43 am
by matthijs
bg wrote:One way to get around this is to chown them to be owned by you, but in the www group.
Code:

Code: Select all

chown -R username:www ./the_directory
. Then give write and execute permissions to both owner and group and just read permission to others. This will allow your scripts to run correctly and for you to modify these scripts through ftp.
Thanks. I'll remember this for when I have command line access to my host accounts. At the moment it's FTP-only, unfortunately. It's really a pita to not be able to set the permissions I would like.
(So if anyone knows a good host...)

Posted: Sun Aug 27, 2006 10:56 am
by feyd
Many ftp clients support chmod as do many servers. It may be possible to run the changes via your particular combination.