?
Solved

Safe uploading with Apache/PHP/Debian

Posted on 2004-04-24
5
Medium Priority
?
457 Views
Last Modified: 2010-03-04
Hi all,

I've written a small PHP app that involves allowing users to upload images. I developed it under Windows and am now moving it to the Debian server.

Under windows, Apache by default had permissions to write to the file system. Under Linux www-data doesn't, and with good reason I figure. So, what the correct/safe way to allow users to upload files? Just give www-data write permissions on the certain folders? Or is there a smarter way?

Thanks,

Pete
0
Comment
Question by:PeterLengly
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 10

Accepted Solution

by:
Mercantilum earned 252 total points
ID: 10909974
'www-data' being the user running your apache (httpd) server,  
[i.e.. you have "User www-data" directive in your httpd.conf], yes you have to give this unix user the write access to the directory.

A way to do that is
if your upload path is /home/upload

  chown -R www-data:root /home/upload
  chmod -R 750 /home/upload

This way the www-data user gets '7' (rwx) rights, the root group gets r-x, and other nothing.

(or if you want to affine for directories and files:
for each directory inside /home/upload
  chmod 750 /home/upload /home/upload/otherdir ...
  chmod 640 /home/upload/*   /home/upload/otherdir/*
to prevent the 'execute' access on files)
0
 

Author Comment

by:PeterLengly
ID: 10910986
Hi Mercantilum,

That's pretty much what I figured - just wondered if there was a cleaner way than running around giving write access (Unfortunatly people upload to an upload directory each, so there'll be lots of directories, although well defined, which will need write access).

They're only uploading images, but I like the tip about preventing execution. I'll go set that up and get back to you once I have it working.
0
 
LVL 23

Assisted Solution

by:rama_krishna580
rama_krishna580 earned 248 total points
ID: 10912464
HI,

PHP by default runs as the web user (www-data) and not as the user that owns a particular file. In short, PHP can't modify files owned by you. You can also run php scripts as a CGI (through CGI-Wrap; just change the first line of the script to:
#!/usr/local/bin/php, ala perl CGI's...) so the script runs as you, and will have full read/write access to anything in your home directory. PHP does run slower as a CGI, but it is the only way to securely write files (or delete them) in your home directory. You may want to consider writing a simple PHP script as a CGI (or perl or even a shell script) that only does file writes and deletes (and pass file names as a variable to that script) and call that CGI from your other PHP scripts using the "virtual" directive.

for more Faq try this...

http://support.martnet.com/faq.php?get=1015

R.K
0
 
LVL 15

Expert Comment

by:periwinkle
ID: 11761523
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

    SPLIT:  Mercantilum, rama_krishna580

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Periwinkle
EE Cleanup Volunteer
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my time as an SEO for the last 2 years and in the questions I have assisted with on here I have always seen the need to redirect from non-www urls to their www versions. For instance redirecting http://domain.com (http://domain.com) to http…
It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question