Unable to open a file for writing / permission for a folder

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

MIHAIO
Forum Newbie
Posts: 7
Joined: Thu Nov 27, 2008 11:46 pm

Unable to open a file for writing / permission for a folder

Post by MIHAIO »

Hello,
I had this code for saving thumbnails into the db (some of it):

Code: Select all

 
.................
$img2 = imagecreatetruecolor( 150, 150 ); 
  imagecopyresampled ( $img2, $img, 0, 0, 0 , 0, $thumb_x, $thumb_y, $w, $h );
 
   $fimg = time().$userid . '.jpg';
   $real_tpath = realpath ("temp");
 
    if( $HTTP_ENV_VARS['OS'] == 'Windows_NT'){
        $real_tpath= str_replace( "\\", "\\\\", $real_tpath);
        $file = $real_tpath . "\\" . $fimg;
    }else{
    $file = $real_tpath . "/" . $fimg;
    }
 
    imagejpeg($img2, $file, $C_QUAL);
 
    imagedestroy($img2);
    imagedestroy($img);
 
    return $file;
...............
 
It worked on my computer but of course when I uploaded on the server I got the error:

Code: Select all

Warning: imagejpeg() [function.imagejpeg]: Unable to open '/1231707631.jpg' for writing: Permission denied in /home/<user>/public_html/photos.php on line 220
So I created a folder ‘images’ outside of public_html thus '/home/<user>/images' and I changed

Code: Select all

$file = $real_tpath . "/" . $fimg;
to

Code: Select all

$file = $real_tpath . "../images/" . $fimg;
The permission for ‘images’ is 0755 (the default one when the folder was created)

Is this the right approach ?

Thanks
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Re: Unable to open a file for writing / permission for a folder

Post by daedalus__ »

i think you have to set the directory permission to 777. i'm not certain
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Unable to open a file for writing / permission for a folder

Post by kaisellgren »

daedalus__ wrote:i think you have to set the directory permission to 777. i'm not certain
No, definetly not. Never use 0777. The "highest" you can use "securely" is 0774.
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: Unable to open a file for writing / permission for a folder

Post by jaoudestudios »

Start at one end of the scale (i.e. 777) and work to the other end and see where it fails. Then take it from there. But like kaisellgren said, 777 is dangerous!
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Unable to open a file for writing / permission for a folder

Post by kaisellgren »

Depending on the situation you might be able to use 0600. Try it if you have problems, if not then use it.
MIHAIO
Forum Newbie
Posts: 7
Joined: Thu Nov 27, 2008 11:46 pm

Re: Unable to open a file for writing / permission for a folder

Post by MIHAIO »

Thank you the answers !
I have used 0755.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Unable to open a file for writing / permission for a folder

Post by kaisellgren »

MIHAIO wrote:Thank you the answers !
I have used 0755.
Why do you need executive permissions?
MIHAIO
Forum Newbie
Posts: 7
Joined: Thu Nov 27, 2008 11:46 pm

Re: Unable to open a file for writing / permission for a folder

Post by MIHAIO »

Nothing else worked so I had to leave the folder permission to its default value.
MIHAIO
Forum Newbie
Posts: 7
Joined: Thu Nov 27, 2008 11:46 pm

Re: Unable to open a file for writing / permission for a folder

Post by MIHAIO »

Hi Kai,

thank you followed up with this as I wondered myself whether I tried permissions lower than 755 even if I knew I did,
so I decided to try again
I started with 500, 540, etc. up to 700 when it worked !

I am pretty sure that they changed something meanwhile as before the files I would upload using File Manager in CP would not overwrite the existing files even if I did check the ‘Overwrite existing files’ checkbox.

So I had to upload them in a ‘transit’ folder and then just drag and drop the files onto the folder I wanted to have the files in and using this way they would overwrite the existing files.

Maybe these issues were not related at all.
But the other day the overwriting worked and so setting the permission at 700 (i.e. no more errors when uploading images)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Unable to open a file for writing / permission for a folder

Post by kaisellgren »

MIHAIO wrote:Hi Kai,

thank you followed up with this as I wondered myself whether I tried permissions lower than 755 even if I knew I did,
so I decided to try again
I started with 500, 540, etc. up to 700 when it worked !

I am pretty sure that they changed something meanwhile as before the files I would upload using File Manager in CP would not overwrite the existing files even if I did check the ‘Overwrite existing files’ checkbox.

So I had to upload them in a ‘transit’ folder and then just drag and drop the files onto the folder I wanted to have the files in and using this way they would overwrite the existing files.

Maybe these issues were not related at all.
But the other day the overwriting worked and so setting the permission at 700 (i.e. no more errors when uploading images)
The 0700 can be changed to 0600.

Let me give you a general tip. You really should only use numbers 6,4,2 and 0 unless you want the file to work with other programs like Crontab. For example, don't use 0700, because it has the number 7 which does not belong to that 'safe list'.

In addition to that, avoid having the number 6.

As a rule of thumb, first try 0400 (not writable), if you need to write to the file then use 0600. If those do not work, try 0660.

And also, 0500, 0540, 0550, 0554, 0555 are not the way to go. Do not use them.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Unable to open a file for writing / permission for a folder

Post by matthijs »

Kai, isn't it also the case that the owner and group of the file make a difference? One time 666 is enough to run a script, other times 777 is needed. I understand what the numbers mean, but somehow they don't always work as you'd expect them to work.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Unable to open a file for writing / permission for a folder

Post by Eran »

It depends on the permissions of the process trying to access the files. PHP usually runs as apache user, and has the permissions given to that user and group. Those can diverge a lot depending on the setup of the server.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Unable to open a file for writing / permission for a folder

Post by kaisellgren »

I have never met anyone who really needs 0777. I can't think of a situation where you need 0777.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Unable to open a file for writing / permission for a folder

Post by VladSun »

kaisellgren wrote:I have never met anyone who really needs 0777. I can't think of a situation where you need 0777.
:P
/temp
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Unable to open a file for writing / permission for a folder

Post by kaisellgren »

VladSun wrote:
kaisellgren wrote:I have never met anyone who really needs 0777. I can't think of a situation where you need 0777.
:P
/temp
I bet 0776 or 0767 is enough. I have to go to work so can't test now...
Post Reply