I know there are lots of comments on the net regarding this, but... there are so many conflicting opinions that I'm more confused than when I started..
My users are able to upload images to a directory. What is the minimum security permission that I need to set on the directory?
I have it set to 777 at the moment.
Code-wise I validate that the file extension is .jpg .gif or .png, then copy to the upload directory;
copy($_FILES['userfile']['tmp_name'], $saveName );
Many thanks for any help
Russ
upload & permissions
Moderator: General Moderators
Re: upload & permissions
600 would be the minimum you could get away with, thats the owner can read and write. 644 would be the owner can read/write and anyone can read.
-
rukksi9999
- Forum Newbie
- Posts: 2
- Joined: Sun Oct 04, 2009 7:11 pm
Re: upload & permissions
Right, thats what I would think, now my problem is that I am a little confused as to who the owner is.. am I right in thinking that if I create the file in an ftp client (fireftp) then the owner will be the ftp user meaning that at runtime the the user trying to access the file will be the php user, and so the relevant security setting will be the 'public' setting?
If I write a php script to create the directory, then the owner will be the php user and so the relevant security setting will be 'owner'?
I'm finding that I need to allow write permissions for public(eg 777) on the public_html directory temporarily while my php script creates the child directory, my plan being that I would chmod the child directory to 666. But when the directory is created it gets set to 644, which then means I get permission denied when the upload script attempts to write the file.
//php create directory code
mkdir($thisdir ."/child" , 0666);
Does anyone have a linux/apache security 101 resource out there?
Thanks
Russki
If I write a php script to create the directory, then the owner will be the php user and so the relevant security setting will be 'owner'?
I'm finding that I need to allow write permissions for public(eg 777) on the public_html directory temporarily while my php script creates the child directory, my plan being that I would chmod the child directory to 666. But when the directory is created it gets set to 644, which then means I get permission denied when the upload script attempts to write the file.
//php create directory code
mkdir($thisdir ."/child" , 0666);
Does anyone have a linux/apache security 101 resource out there?
Thanks
Russki
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: upload & permissions
To be able to upload to that directory, write permissions are needed for PHP (Apache). If the folder was created from PHP, then owner writable folder is enough, otherwise you need either group or public writing depending on whether the FTP client is on the same group which I doubt. You can try to use chown() to switch the owner.