In my code for uploading pdf documents to my web-server, I have used move_uploaded_file.
move_uploaded_file($tmp_source, $destin)
However, this command does not work unless I give 777 access to the uploads folder. I tried making it 775, but it wouldn't work.
I get the following error message
failed to open stream: Permission denied in /srv/http/host1/public_html/internal/upload.php on line 82
By putting the uploads folder above public_html, I can prevent people from accessing them via a browser, but how do I prevent local users from accessing this folder through ssh?
Some answers related to this question had suggested using
ps aux | grep apache
to find out the user to who the upload folder should be given appropriate permissions 0755. This information did not work for me.
However, the correct information was available in phpinfo() under the apache2handler header. It was http.
Among other things, I have restricted file types to pdf, set .htaccess to restrict cgi and also kept the uploads folder outside public_html to prevent access through browser.
I am not aware of further security concerns.
Related
I am using PHP file_put_contents to generate PDF files inside a directory named invoices.
This was working fine for a long time but stopped working with no changes to the code generating the invoices (I have asked the hosting providers about any changes to the installation but they are no help).
The error I get is "Warning: file_put_contents(test-generate-file/999999.pdf): failed to open stream: Permission denied"
However, this seems to be a file ownership issue rather than a permissions issue because after some testing I have found that:
The error occurs when the invoices folder has ownership cpanelusername:cpanelusername (this is the correct ownership needed for folders and files on the server to be viewed by visitors etc).
Files are successfully generated when the ownership is changed to PHP which has the ownership name nobody (so ownership nobody:cpanelusername works)
But the files that are generated successfully with ownership nobody can't be viewed by visitors.
As a workaround after they are generated I am manually changing their ownership to cpanelusername:cpanelusername so they can be viewed. But this is a pain.
So the question is what is preventing files being generated by PHP when the folder has the correct ownership is in place and how can I fix it?
I have viewed multiple similar questions but they mainly refer to file permissions as opposed to file ownership and have not helped. Also setting permissions of the invoices folder to 777 is not an option due to security being important.
test.php opens test.txt and writes to it. It works fine on one hosting server.
After migrating the code to another host, test.php now can't write out test.txt. The error shows:
Warning: fopen(/home/username/public_html/test.txt)
[function.fopen]: failed to open stream: Permission denied
It will only work when the test.txt file is set to 777. On the original host, test.txt was set to 755.
What am I missing to give permission for test.php to write to the file without 777 on this new host?
Also, file upload PHP scripts aren't working either.
It is not just the permission that is important, but also who owns the files. 755 is enough if the folder/file is owned by the same user that is used for running the web server.
Writing directly to the public_html directory is a huge security risk. I suggest creating a subdirectory (probably best outside the public_html) folder and give it the appropriate permissions / ownership.
It is safer to have the folder owned by the user that runs apache (or whichever web server is being used) - usually something like apache or www-data instead of giving world write permissions.
I have created a custom CMS with PHP and it uploads files to a directory with 777 permissions on it. When the files are uploaded they are given 600 with apache being the owner, therefore I can't download them through FTP as the main FTP user.
Anybody have any ideas? I have tried changing the permission but don't have rights due to the owner being apache.
You cant chmod the files, but 'apache' can: after uploading an moving the file,change the permissions in the same script. As it is run by apache, it is allowed to do so.
http://php.net/manual/en/function.chmod.php
For uploading files it is important to note that uploading files without explicitly setting permissions after is a bad practice.
I would take the link Nanne provided and begin to add that to your upload script. This will ensure that the files are given the appropriate permissions for each situation you will need them.
Using a standard LAMP server with full control, I need to upload an image from DomianA using a PHP script to a directory on DomainB. The server has suPHP and mod_security in place.
Currently using an absolute path to DomainB I am getting the error:
Warning: move_uploaded_file() [function.move-uploaded-file]: open_basedir restriction in effect.
I tried to chown the upload directory on DomainB to the user of DomainA (where the script is being run). With no luck.
After researching I have found two potential solutions, and want to see if there are any better methods. And maybe some code to get me going in the right direction.
Symlink - so basically have a dir (below the domain level I guess?) then have each domain have a symbolic link to that location.
Modify my httpd.conf - not sure what to do, but I don't want to open any potential security holes by doing this.
If domain B only needs to serve up files from that directory and not modify them, then put the directory somewhere in domain A's tree, with proper permissions to allow the uploads.
You can then configure domain B to access that directory via an alias:
Alias /path/to/the/files/in/domain/A /dom_a_dir
Then you can access the files directly via
http://dom.b.com/dom_a_dir
I have a PHP web application running on IIS, which allows a user to upload a file from a simple html form. The uploaded file is then moved to a folder on another server. This is working correctly on Apache, but fails on IIS with the error:
function['move_uploaded_file']failed to open stream: Permission denied
in...
I've checked all the permissions on the directories. If I run a simple PHP script through the command line to copy a file from the server into the folder on the other server it works correctly, so I suspect the problem is with IIS.
if (move_uploaded_file($_FILES ["file"] ["tmp_name"], "\\\\000.00.0.00\\tia\\web\\upload\\" .$_FILES["file"]["name"])) {
This has been covered already here. Quoting the reason here:
You have mapped target directory to a share such as \server2\files. These mappings are only available to the current users (eg, the admin account), not to the IUSR account that your php is probably running as (assuming IIS). Solution, don't use mappings, instead use the full 'unc' path name, ie '\server\share\folder\file.ext', also remember that the IUSR account will need access to these shares/folders/files
From what I can see in your comment, you are using a \\ prefixed network share as the target for your move_uploaded_file() operation.
I'll bet a beer that PHP isn't allowed to access that share. Remember, PHP runs with IIS's permissions!
Try saving to a local, globally writable path first. If that works, you know you have to fix the share's permissions.