Page 1 of 1
777 issue
Posted: Sat Nov 18, 2006 6:31 pm
by julian_lp
I've the following folder structure:
Code: Select all
public_html
|--->galleries
|--->gallery
|--->images
I need to be able to write/delete files on gallery, from script running on galleries, and upload files (and delete them) to images, always from script on galleries.
In one of the shared servers I tested my script, it worked fine. All the folders have 755 permission
On the other hand, in another server I had to chmod 777 both gallery and images to not to get "is not within the allowed path" kinda errors.
(In both cases, all the folders were created through an FTP accnt, not by a php script)
Can anyone ellaborate about this issue, how should it be solved (if there is a way), and what are the risks of having 777 directories?
Re: 777 issue
Posted: Sat Nov 18, 2006 6:43 pm
by timvw
julian_lp wrote:
Can anyone ellaborate about this issue, how should it be solved (if there is a way), and what are the risks of having 777 directories?
What do you know about filepermissions on ext2? Which articles have you read so far?
Things to look up (the help of a sysadmin may be handy):
- the owners (and group) to which the directories belong (from / to / .... / images)
- under which user account (and group) are the scripts executed? Do they belong to any of the groups found in the list of directories above? Or are they in certain areas part of the 'others'.
- what are the default file creation settings in your ftpd configuration?
Re: 777 issue
Posted: Sat Nov 18, 2006 6:58 pm
by julian_lp
timvw wrote:julian_lp wrote:
Can anyone ellaborate about this issue, how should it be solved (if there is a way), and what are the risks of having 777 directories?
What do you know about filepermissions on ext2? Which articles have you read so far?
Things to look up (the help of a sysadmin may be handy):
- the owners (and group) to which the directories belong (from / to / .... / images)
- under which user account (and group) are the scripts executed? Do they belong to any of the groups found in the list of directories above? Or are they in certain areas part of the 'others'.
- what are the default file creation settings in your ftpd configuration?
Ohhh, I thought there will be a short aswer like "Hey! do that..."
I've been reading a lot of articles, but I just think I've not enough knowledge to follow them. Although there seems to be some kind of opposite opinions with regard to this topic, for instance, here:
http://www.simplemachines.org/community ... ic=2987.30
the guy is almost saying "come on, just chmod it 777 and dont worry about that"
When you say "owners, group", you're talking about Unix/Linux filesystem right? Or is it some kind of hidden php feature?
I thought that on every shared server, I would be able to write/delete to every folder (whose parent is my local_html ) I wanted. That seems not to be the case.
I've read this topic, although it seems to be dead with unanswered questions...
http://www.devnetwork.net/forums/viewto ... c&start=30
I'll countinue reading. Meanwhile, if anyone liked, feel free to ellaborete a little more please

Posted: Sat Nov 18, 2006 8:41 pm
by Ambush Commander
the guy is almost saying "come on, just chmod it 777 and dont worry about that"
It'll work, but is bad security practice.
When you say "owners, group", you're talking about Unix/Linux filesystem right? Or is it some kind of hidden php feature?
Unix, not PHP or FTP.
I thought that on every shared server, I would be able to write/delete to every folder (whose parent is my local_html ) I wanted. That seems not to be the case.
Nope, and that's because of file permissions.
The 777 is three digits, each representing Owners, Group, World. Owner is (usually) you. Group is people in your group. World is any user on the server. 7 = 4 + 2 +1, where the 4 grants read access, the 2 grants write access, and the 1 grants execute access.
So, for example, if you write 755, the owner is allowed to read/write/execute the file, while group+world can only read or execute. 000 means no one is allowed to read/write/execute.
Only the owner of the file is allowed to chmod it.
Posted: Sat Nov 18, 2006 9:16 pm
by julian_lp
Ambush Commander wrote:
I thought that on every shared server, I would be able to write/delete to every folder (whose parent is my local_html ) I wanted. That seems not to be the case.
Nope, and that's because of file permissions.
The 777 is three digits, each representing Owners, Group, World. Owner is (usually) you. Group is people in your group. World is any user on the server. 7 = 4 + 2 +1, where the 4 grants read access, the 2 grants write access, and the 1 grants execute access.
So, for example, if you write 755, the owner is allowed to read/write/execute the file, while group+world can only read or execute. 000 means no one is allowed to read/write/execute.
Only the owner of the file is allowed to chmod it.
So far so good, quite clear explanation. Now comes the obvious question:
How should I do in order to be the folder's owner? I mean, is there anything I can do?
Posted: Sat Nov 18, 2006 9:23 pm
by Ambush Commander
It depends on what sense. Strictly speaking, you own the file when you can ssh in and then ls -l, and see that the owner column is set to you.
But the PHP script is run from the perspective of the webserver. So we ask: who is the webserver running under: your Unix user, or some generic webserver user? If it is running from your name (and it should be), then it should be able to chmod. If it's from a generic user, you're outta luck, and will have to chmod it 777.
Posted: Sat Nov 18, 2006 9:35 pm
by julian_lp
Ambush Commander wrote:It depends on what sense. Strictly speaking, you own the file when you can ssh in and then ls -l, and see that the owner column is set to you.
But the PHP script is run from the perspective of the webserver. So we ask: who is the webserver running under: your Unix user, or some generic webserver user? If it is running from your name (and it should be), then it should be able to chmod. If it's from a generic user, you're outta luck, and will have to chmod it 777.
Firstly, many thanks for your fast response.
With regard to the webserver, I've only an username and password for a FTP account, and a public_html folder access, so I'll have no @#$"!$ idea what user Apache is running under. In short words, I'll have to chmod it to 777.
Anyway, it's a quite interesting topic which I'll try to gain good knowledge about.
Posted: Sat Nov 18, 2006 9:48 pm
by julian_lp
I keept thinking on one thing, so I'll put it here:
On a Shared Server, could Apache (and php) be configured to run individually with every account? (that seems to be the right way)
I ask this cause I've a couple of sites whose folders are 755 and I'm perfectly able to write/delete on every folder I create down in the hierarchy. I'm wondering whether other apache/php users on the same server, are owners of my folders or not. I guess they would be owners if apache ran under one unique user

Posted: Sat Nov 18, 2006 9:51 pm
by Ambush Commander
I'm not really qualified to answer, as I don't run a shared hosting company, but yes, I'm fairly certain they can. Virtual hosts and stuff.
If that's not the case, they should have some other sort of protection in place to prevent other users from meddling with your files. But you never know...

Posted: Sun Nov 19, 2006 3:32 am
by timvw
julian_lp wrote:
So far so good, quite clear explanation. Now comes the obvious question:
How should I do in order to be the folder's owner? I mean, is there anything I can do?
Apart from the quick introduction, you still have to figure out what the effects of rwx on a directory are... What does it mean that you can 'execute' a directory? ..
Once you've done that, you'll have to write down your scheme... For each directory find out who owns it, who needs access... Once you know that you can derive the required rights. As long as you don't do that, you'll only be second guessing... and praying that it works...
In the apache2handler section of phpinfo input you find the user/group that is executing the script. (as i wrote before: simply ask your sysadmin or consult her FAQ).
Posted: Sun Nov 19, 2006 3:33 am
by matthijs
I guess that's a drawback with (many) shared hosting plans. Mind you, I've always been on shared hosting because the difference in price ($2 vs $20+) is still a bit too large to go for dedicated.
One other very annoying problem I've had with some gallery scripts is not being able to edit or delete the folders/files which have been created by the script. It's like the script runs as a different user then the server/ftp user. So after the script has created files or folders I can't even access them with my ftp account or from the control panel on the server.
I think on many/some shared hosts the individual accounts are "protected" by setting the open_basedir directive, which limits the files that can be opened by PHP to a specific directory (i.e. your account on the shared host).