Solved

Safe uploading with Apache/PHP/Debian

Posted on 2004-04-24
5
449 Views
Last Modified: 2010-03-04
Hi all,

I've written a small PHP app that involves allowing users to upload images. I developed it under Windows and am now moving it to the Debian server.

Under windows, Apache by default had permissions to write to the file system. Under Linux www-data doesn't, and with good reason I figure. So, what the correct/safe way to allow users to upload files? Just give www-data write permissions on the certain folders? Or is there a smarter way?

Thanks,

Pete
0
Comment
Question by:PeterLengly
5 Comments
 
LVL 10

Accepted Solution

by:
Mercantilum earned 63 total points
ID: 10909974
'www-data' being the user running your apache (httpd) server,  
[i.e.. you have "User www-data" directive in your httpd.conf], yes you have to give this unix user the write access to the directory.

A way to do that is
if your upload path is /home/upload

  chown -R www-data:root /home/upload
  chmod -R 750 /home/upload

This way the www-data user gets '7' (rwx) rights, the root group gets r-x, and other nothing.

(or if you want to affine for directories and files:
for each directory inside /home/upload
  chmod 750 /home/upload /home/upload/otherdir ...
  chmod 640 /home/upload/*   /home/upload/otherdir/*
to prevent the 'execute' access on files)
0
 

Author Comment

by:PeterLengly
ID: 10910986
Hi Mercantilum,

That's pretty much what I figured - just wondered if there was a cleaner way than running around giving write access (Unfortunatly people upload to an upload directory each, so there'll be lots of directories, although well defined, which will need write access).

They're only uploading images, but I like the tip about preventing execution. I'll go set that up and get back to you once I have it working.
0
 
LVL 23

Assisted Solution

by:rama_krishna580
rama_krishna580 earned 62 total points
ID: 10912464
HI,

PHP by default runs as the web user (www-data) and not as the user that owns a particular file. In short, PHP can't modify files owned by you. You can also run php scripts as a CGI (through CGI-Wrap; just change the first line of the script to:
#!/usr/local/bin/php, ala perl CGI's...) so the script runs as you, and will have full read/write access to anything in your home directory. PHP does run slower as a CGI, but it is the only way to securely write files (or delete them) in your home directory. You may want to consider writing a simple PHP script as a CGI (or perl or even a shell script) that only does file writes and deletes (and pass file names as a variable to that script) and call that CGI from your other PHP scripts using the "virtual" directive.

for more Faq try this...

http://support.martnet.com/faq.php?get=1015

R.K
0
 
LVL 15

Expert Comment

by:periwinkle
ID: 11761523
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

    SPLIT:  Mercantilum, rama_krishna580

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Periwinkle
EE Cleanup Volunteer
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now