Secure permissions to enable file writing in directory

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
chandrika
Forum Newbie
Posts: 10
Joined: Fri Feb 05, 2010 11:20 am

Secure permissions to enable file writing in directory

Post by chandrika »

I wanted to check about the security of changing permissions to enable a php script to write to a directory on the server. This is the php code :

Code: Select all

//get html file and save on server as text
$ch = curl_init("http://site.com/file.html");
$fp = fopen("/home/username/public_html/text/file.txt", "w");

curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);

curl_exec($ch);
curl_close($ch);
fclose($fp);
I find I have to set the permissions of the /text/ directory to at least 767 to enable this, but feel unsure if that is safe.

Only the php script needs access to these text files, so would it be safer to write them in a directory outside of public_html?
User avatar
Jade
Forum Regular
Posts: 908
Joined: Sun Dec 29, 2002 5:40 pm
Location: VA

Re: Secure permissions to enable file writing in directory

Post by Jade »

Why 767? I would do 755 instead. http://www.zzee.com/solutions/chmod-755.shtml
User avatar
Zyxist
Forum Contributor
Posts: 104
Joined: Sun Jan 14, 2007 10:44 am
Location: Cracow, Poland

Re: Secure permissions to enable file writing in directory

Post by Zyxist »

The directory should be writeable by whom? A PHP script or through FTP? If you mean the first case, the only secure way is having a FastCGI/CGI PHP installation. If you use mod_php with Apache, there are no secure permissions, because the directory must be writable by a PHP script which is executed under the webserver rights shared by all the users. It means that someone else might request his PHP script to write something there and it will work. With FastCGI/CGI you can run separate PHP instances for every user that would execute on your own rights. Then, the permissions could be set to 700 for directories.
Post Reply