Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 458
  • Last Modified:

Safe uploading with Apache/PHP/Debian

Hi all,

I've written a small PHP app that involves allowing users to upload images. I developed it under Windows and am now moving it to the Debian server.

Under windows, Apache by default had permissions to write to the file system. Under Linux www-data doesn't, and with good reason I figure. So, what the correct/safe way to allow users to upload files? Just give www-data write permissions on the certain folders? Or is there a smarter way?

Thanks,

Pete
0
PeterLengly
Asked:
PeterLengly
2 Solutions
 
MercantilumCommented:
'www-data' being the user running your apache (httpd) server,  
[i.e.. you have "User www-data" directive in your httpd.conf], yes you have to give this unix user the write access to the directory.

A way to do that is
if your upload path is /home/upload

  chown -R www-data:root /home/upload
  chmod -R 750 /home/upload

This way the www-data user gets '7' (rwx) rights, the root group gets r-x, and other nothing.

(or if you want to affine for directories and files:
for each directory inside /home/upload
  chmod 750 /home/upload /home/upload/otherdir ...
  chmod 640 /home/upload/*   /home/upload/otherdir/*
to prevent the 'execute' access on files)
0
 
PeterLenglyAuthor Commented:
Hi Mercantilum,

That's pretty much what I figured - just wondered if there was a cleaner way than running around giving write access (Unfortunatly people upload to an upload directory each, so there'll be lots of directories, although well defined, which will need write access).

They're only uploading images, but I like the tip about preventing execution. I'll go set that up and get back to you once I have it working.
0
 
rama_krishna580Commented:
HI,

PHP by default runs as the web user (www-data) and not as the user that owns a particular file. In short, PHP can't modify files owned by you. You can also run php scripts as a CGI (through CGI-Wrap; just change the first line of the script to:
#!/usr/local/bin/php, ala perl CGI's...) so the script runs as you, and will have full read/write access to anything in your home directory. PHP does run slower as a CGI, but it is the only way to securely write files (or delete them) in your home directory. You may want to consider writing a simple PHP script as a CGI (or perl or even a shell script) that only does file writes and deletes (and pass file names as a variable to that script) and call that CGI from your other PHP scripts using the "virtual" directive.

for more Faq try this...

http://support.martnet.com/faq.php?get=1015

R.K
0
 
periwinkleCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

    SPLIT:  Mercantilum, rama_krishna580

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Periwinkle
EE Cleanup Volunteer
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now