Solved

Safe uploading with Apache/PHP/Debian

Posted on 2004-04-24
5
448 Views
Last Modified: 2010-03-04
Hi all,

I've written a small PHP app that involves allowing users to upload images. I developed it under Windows and am now moving it to the Debian server.

Under windows, Apache by default had permissions to write to the file system. Under Linux www-data doesn't, and with good reason I figure. So, what the correct/safe way to allow users to upload files? Just give www-data write permissions on the certain folders? Or is there a smarter way?

Thanks,

Pete
0
Comment
Question by:PeterLengly
5 Comments
 
LVL 10

Accepted Solution

by:
Mercantilum earned 63 total points
ID: 10909974
'www-data' being the user running your apache (httpd) server,  
[i.e.. you have "User www-data" directive in your httpd.conf], yes you have to give this unix user the write access to the directory.

A way to do that is
if your upload path is /home/upload

  chown -R www-data:root /home/upload
  chmod -R 750 /home/upload

This way the www-data user gets '7' (rwx) rights, the root group gets r-x, and other nothing.

(or if you want to affine for directories and files:
for each directory inside /home/upload
  chmod 750 /home/upload /home/upload/otherdir ...
  chmod 640 /home/upload/*   /home/upload/otherdir/*
to prevent the 'execute' access on files)
0
 

Author Comment

by:PeterLengly
ID: 10910986
Hi Mercantilum,

That's pretty much what I figured - just wondered if there was a cleaner way than running around giving write access (Unfortunatly people upload to an upload directory each, so there'll be lots of directories, although well defined, which will need write access).

They're only uploading images, but I like the tip about preventing execution. I'll go set that up and get back to you once I have it working.
0
 
LVL 23

Assisted Solution

by:rama_krishna580
rama_krishna580 earned 62 total points
ID: 10912464
HI,

PHP by default runs as the web user (www-data) and not as the user that owns a particular file. In short, PHP can't modify files owned by you. You can also run php scripts as a CGI (through CGI-Wrap; just change the first line of the script to:
#!/usr/local/bin/php, ala perl CGI's...) so the script runs as you, and will have full read/write access to anything in your home directory. PHP does run slower as a CGI, but it is the only way to securely write files (or delete them) in your home directory. You may want to consider writing a simple PHP script as a CGI (or perl or even a shell script) that only does file writes and deletes (and pass file names as a variable to that script) and call that CGI from your other PHP scripts using the "virtual" directive.

for more Faq try this...

http://support.martnet.com/faq.php?get=1015

R.K
0
 
LVL 15

Expert Comment

by:periwinkle
ID: 11761523
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

    SPLIT:  Mercantilum, rama_krishna580

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Periwinkle
EE Cleanup Volunteer
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

If you are running a LAMP infrastructure, this little code snippet is very helpful if you are serving lots of HTML, JavaScript and CSS-related information. The mod_deflate module, which is part of the Apache 2.2 application, provides the DEFLATE…
If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now