Allowing dotProject to write to folders without chmod 777?

Need help installing PHP, configuring a script, or configuring a server? Then come on in and post your questions! We'll try to help the best we can!

Moderator: General Moderators

Post Reply
User avatar
Nathaniel
Forum Contributor
Posts: 396
Joined: Wed Aug 31, 2005 5:58 pm
Location: Arkansas, USA

Allowing dotProject to write to folders without chmod 777?

Post by Nathaniel »

Hey DevNetwork,

I'm in the process of installing dotProject, and it has this message: "If the message 'World Writable' appears after a file/directory, then Permissions for this File have been set to allow all users to write to this file/directory. Consider changing this to a more restrictive setting to improve security. You will need to do this manually."

I've tried setting the folders to 775, and dotProject continues to say it can't write to them; but if I set them to 777, it will say it can write to the folders but puts 'World Writable' after it.

-- Edit: That is, if the Write permissions for the World aren't enabled (772, 773, 776, 777), it won't work, but if they are, it says 'World Writable'. It's an either-or, it seems... --

I'm on a shared Apache 1.3.x host; if there is anything else you might need to know to help me, I'll try to find it and post it here.

- Nathaniel
zzap64
Forum Newbie
Posts: 2
Joined: Thu Aug 23, 2007 10:55 am

Post by zzap64 »

I realise you posted this a good while ago but I've been having the same problem / concerns and a search on Google didn't get me anywhere.. apart from your post.

Did you ever find a solution?

From general linux web dev I've found that I need to make folders world writable to be able to upload files to it from a browser, but that does seem a security risk to me...
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

If you are able to do it - chown to Apache user and chmod to 0700
There are 10 types of people in this world, those who understand binary and those who don't
zzap64
Forum Newbie
Posts: 2
Joined: Thu Aug 23, 2007 10:55 am

Post by zzap64 »

Can't do that, the site is on a shared server. :(
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Apart from changing the owner you could also change the group of the files (and then preferably where only services like apache are in).. This way you have to grant access to group instead of world...
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

It is a common issue with shared hosting - one Apache user (for all clients) and many FTP users (for each client). The Apache user should have READ permission (and EXECUTE where it is expected, e.g. cgi-bin) on all files. If you want to upload file by using HTTP upload, then you have to chmod 0777 (by using your FTP user) the upload directory. The reasons for doing this are simple:

- 777 mode permits all users (including Apache) to have WRITE permissions on this directory - bad idea, but it is the only one working;

- chmod 770 is useless because if the Apache user (which is the one ALL clients have access to) is in the same group as your FTP user, then it is not "World writable", but "Apache user writable", which means all of the hosting clients still have write access to this directory;

- chmod 700 is useless because Apache user wouldn't be able to write to this directory (owned by the FTP user).

In fact, there is a solution - using VirtualHosts for Apache and PHP. So, clients are able to open only their own files.

E.g.:

Code: Select all

<VirtualHost *:80>
    ServerName example.com
    ServerAlias *.example.com
    User exampleuser
    Group examplegroup
    DocumentRoot /hosting/example.com/htdocs
    CustomLog "/wwwlog/example.com/access.log" combined
    ErrorLog  "/wwwlog/example.com/errors.log"
    <Directory "/hosting/example.com/htdocs">
       AllowOverride AuthConfig Indexes Limit Options
       Allow from all
    </Directory>
    Include /usr/local/apache/conf/example.com-vhost.conf
    php_admin_flag engine on
    php_admin_value open_basedir "/hosting/example.com/:/usr/lib/php/"
    php_admin_value doc_root /hosting/example.com/htdocs
    php_admin_value session.save_path /hosting/example.com/tmp
    php_admin_value upload_tmp_dir /hosting/example.com/tmp
    php_admin_value sendmail_from admin@example.com
  # php_admin_value file_uploads on
  # php_admin_value upload_max_filesize 10M
  # php_admin_value post_max_size 10M
</VirtualHost>
There are 10 types of people in this world, those who understand binary and those who don't
Post Reply