Solved

Safe uploading with Apache/PHP/Debian

Posted on 2004-04-24
5
453 Views
Last Modified: 2010-03-04
Hi all,

I've written a small PHP app that involves allowing users to upload images. I developed it under Windows and am now moving it to the Debian server.

Under windows, Apache by default had permissions to write to the file system. Under Linux www-data doesn't, and with good reason I figure. So, what the correct/safe way to allow users to upload files? Just give www-data write permissions on the certain folders? Or is there a smarter way?

Thanks,

Pete
0
Comment
Question by:PeterLengly
5 Comments
 
LVL 10

Accepted Solution

by:
Mercantilum earned 63 total points
ID: 10909974
'www-data' being the user running your apache (httpd) server,  
[i.e.. you have "User www-data" directive in your httpd.conf], yes you have to give this unix user the write access to the directory.

A way to do that is
if your upload path is /home/upload

  chown -R www-data:root /home/upload
  chmod -R 750 /home/upload

This way the www-data user gets '7' (rwx) rights, the root group gets r-x, and other nothing.

(or if you want to affine for directories and files:
for each directory inside /home/upload
  chmod 750 /home/upload /home/upload/otherdir ...
  chmod 640 /home/upload/*   /home/upload/otherdir/*
to prevent the 'execute' access on files)
0
 

Author Comment

by:PeterLengly
ID: 10910986
Hi Mercantilum,

That's pretty much what I figured - just wondered if there was a cleaner way than running around giving write access (Unfortunatly people upload to an upload directory each, so there'll be lots of directories, although well defined, which will need write access).

They're only uploading images, but I like the tip about preventing execution. I'll go set that up and get back to you once I have it working.
0
 
LVL 23

Assisted Solution

by:rama_krishna580
rama_krishna580 earned 62 total points
ID: 10912464
HI,

PHP by default runs as the web user (www-data) and not as the user that owns a particular file. In short, PHP can't modify files owned by you. You can also run php scripts as a CGI (through CGI-Wrap; just change the first line of the script to:
#!/usr/local/bin/php, ala perl CGI's...) so the script runs as you, and will have full read/write access to anything in your home directory. PHP does run slower as a CGI, but it is the only way to securely write files (or delete them) in your home directory. You may want to consider writing a simple PHP script as a CGI (or perl or even a shell script) that only does file writes and deletes (and pass file names as a variable to that script) and call that CGI from your other PHP scripts using the "virtual" directive.

for more Faq try this...

http://support.martnet.com/faq.php?get=1015

R.K
0
 
LVL 15

Expert Comment

by:periwinkle
ID: 11761523
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

    SPLIT:  Mercantilum, rama_krishna580

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Periwinkle
EE Cleanup Volunteer
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question