Setting file permissions for SECURE download

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
gcreddy
Forum Newbie
Posts: 10
Joined: Tue Sep 08, 2009 8:26 am

Setting file permissions for SECURE download

Post by gcreddy »

Hello....I am a novice and have been developing a secure file transfer system in php....I want to enable ONLY my clients to be able to download their files......for example....in my code....if I write the following line

<a href="/images/image1.jpg">Download here</a>

My client should be able to download that file.....however.....if someone types "http://www.domainname.com/Folder1/images/image1.jpg" and pastes it into their browser....the access should be denied....

Infact....if some one types "http://www.domainname.com/Folder1/" the contents of the folder also shouldn't be displayed....

Can someone tell me how I should change the permissions (right now all the permissions are set to 0755 i.e. rwxr-xr-x) on my server and the changes (if any) that should be done to my code to enable this feature??

Regards,
G.C.Reddy
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Setting file permissions for SECURE download

Post by kaisellgren »

The file system permission applies to the file system only. What you want is to move those files to a non-web accessible folder. Then you would write a PHP script to fetch the files if the user is authorized to access the files.
gcreddy
Forum Newbie
Posts: 10
Joined: Tue Sep 08, 2009 8:26 am

Re: Setting file permissions for SECURE download

Post by gcreddy »

Yeah....but what are the settings of the non-accessible web folder?
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: Setting file permissions for SECURE download

Post by Eric! »

He means to move it outside of the directories being served by the HTML server.

for example say your directory structure looks something like this:

.../user/public_html/all_your_web_page_crap_is_in_here
.../user/file
.../user/email
.../user/tmp

You would want to put the files in a directory under /user, but not inside public_html. That way there is no way for someone outside of your server to access that directory through http. Then you write a php file that authenticates the user, and serves the file from your /user/download directory or whatever you call it.

You don't need to worry about file permisions, that is only for file system access on the server, nothing else.
gcreddy
Forum Newbie
Posts: 10
Joined: Tue Sep 08, 2009 8:26 am

Re: Setting file permissions for SECURE download

Post by gcreddy »

Hi Eric!

Thanks for that input. I have done as you said. I have changed the path to /dropbox/domainname/Users/... in the PHP script (instead of using the path to the public html folder). I still have one problem however and that is I am unable to download the files listed under the directories. In the PHP script, I gave the link as follows:

My PHP script is in the webdocs folder (which....in this case is the public html folder if I am not wrong)

$dir = '../dropbox/sallyjohns/';
echo '<a href="'.$dir.'/'.$filename.'">Click Here</a>';

When I click on that link, I am getting file not found (which obviously is right....because the hyperlink is being read as http://www.domainname.com/dropbox/sallyjohns/filename and the dropbox doesn't exist in the public html folder).

Except this problem, everything else it working fine. I am able to create directories, upload files and traverse through the folders. I just need people to be able to download when they click on their files. Is there any where I can redirect them to or am I doing something wrong?

Regards,
G.C.Reddy
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Setting file permissions for SECURE download

Post by kaisellgren »

Post Reply