I'm using CodeIgniter's upload helper and received the above error when trying to upload an image. The permissions for the folder I'm trying to upload to are 755. When I changed it to 777, the error went away, but isn't 777 kind of a security risk?
I'm running on Apache. Is there a better way to allow users to upload files without setting the folder permissions to 777? How can I get 755 to work?
Thanks for the help!
If the folder is for loading files by users than permisision 777 is required.
It's up to you to validate what files are loaded through upload script.
Also you can use .htaccess to alow or not alow certain files to be executed from that directory.
The documentation for upload in codeigniter it's pretty simple and intuitive. Also here you can look at some ways to validate the type of files that are uploaded https://codeigniter.com/userguide3/libraries/file_uploading.html
I don't think so giving any folder on server 777 permission is good. Instead giving 777 permission i suggest make www-data user as owner of desired folder and give 755 permission like below
chown -R www-data:www-data /var/www/html/uploads/
For 755 permission
chmod 755 -R /var/www/html/uploads/
In my NGINX + PHP-FPM installation the issue was solved changing the SElinux parameters from enforcing to permissive:
edit and change options with vi /etc/selinux/config
apply options without restart with sudo setenforce 0
check the status with sestatus.
try this:
sudo chmod 777 -R /path/to/write/folder
I know this is not an active question and may not be an issue for most but because I came across this I wanted to clarify for anyone else that may see this.
You DO NOT need 777 permission on your upload directory. This is actually not a good idea. The last 7 means it is public writable which does not need to be in most cases. Typically 755 should be good enough
More than likely the issue is that the directory is not owned but the user running Apache which is typically www-data
Step by step:
Check owner of dir (i.e.)
ls -l /path/to/upload/
Output should show similar
drwxr-xr-x 4 www-data www-data 4096 Oct 26 20:41 uploads
If not then you should change to www-data if that is the user Apache is running under. To check what user apache is running under :
ps aux | egrep '(apache|httpd)'
This should list something similar:
www-data 419 0.0 0.9 556292 156656 ? S 18:46 0:00 /usr/sbin/apache2 -k start
Hope This Helps!
Related
I am working on apache sever and generating some tmpdir using follwoing code.
$tmpdatadir = "/home/user/tmpdata/".$id."/";
if (mkdir($tmpdatadir)) {
/* do something */
}
dir created:
drwxr-xr-x 2 www-data www-data 4096 Aug 30 17:16 147257020639481
but when i try to write some data using
exec ("cat file.txt >". $tmpdatadir."sample.txt")
i get following error message.
permission denied. As i copy file as user:user so how can i change permision of directory. I found chown does this but i am not sure how can i change ownership of whole directory.
First of all, please review the permissions for www-data folder with ls /lrt, is that way you can see if your user is able to write on the file.
Then, you can use the command: chmod 666 www-data to change the permission of the file to read and write for all users, in this link you can find the syntax for chmod command and a useful calculator if you want limit other users.
Also I share with you the specific functions for commands chown and chmod. See this site.
I've tried to use chmod function in php to change permissions to 777 temporarily, upload the file and then change it back to 755. But it didn't work, as it doesn't allow me to use the chmod function via php.
if(chmod($path, 0777) ) {
if(!move_uploaded_file($oldfile, $newfileloc)) {
return false;
}
chmod($path, 0755);
return true;
}
else
return false;
I had it working on my previous server with 755 permissions given to the folder.
I'm not sure how permissions work, so please help, thanks!
EDIT:
What permissions should my /var/www folder have so that web-server can write files?
EDIT 2:
Okay, I had this figured out. I just have to give permissions to www-data:www-data to make sure webserver has all the required permissions.
But, the issue I'm getting is that when I have /var/www has chown www-data:www-data, the php functions are working fine but I'm getting permissions denied error when using FileZilla. So right now I have to change permissions to root:www-data everytime I need to transfer something via FileZilla and then back to www-data:www-data to make sure my webserver's working fine. Anyone got a fix for this?
you can give 755 permission. But You have to change owner and group for /var/www/ folder. It should have www-data's ownership and group ownership. Check first which user has ownership and group ownership for this folder. run this below command.
ll /var/www/
if it has root access then it would look like this.
drwxr-xr-x. 2 root root 23 Mar 21 17:33 html
change the owner and group owner to www-data user using below command.
chown -R www-data:www.data /var/www
You can keep folder permission 755. -R option is use for giving permission recursively to its child folders and files.
I am trying to install RackTables on a Ubuntu Server 13. I have followed all the steps on the documentation. When I get to the step after I connect to the database I cant seem to figure out the ownership settings.
I have set up the database as follows :
mysql -uroot -p
create database racktables;
grant all on racktables.* to root;
grant all on racktables.* to root#localhost;
grant all on racktables.* to rackuser;
grant all on racktables.* to rackuser#localhost;
set password for rackuser#localhost=password('rackpw');
exit
Here is the step that I am stuck on;
RackTables installation: step 4 of 7
Please set ownership (chown) and/or permissions (chmod) of /var/www/racktables/inc/secret.php on the server filesystem as
follows:
The file MUST NOT be writable by the httpd process.
The file MUST be readable by the httpd process.
The file should not be readable by anyone except the httpd process.
The file should not be writable by anyone.
For example, if httpd runs as user "nobody" and group "nogroup",
commands similar to the following may work (though not guaranteed to,
please consider only as an example):
chown nobody:nogroup secret.php; chmod 400 secret.php
I have tried the
chown root:rackuser /var/www/racktables/inc/secret.php
chmod 400 /var/www/racktables/inc/secret.php
I cant figure out how to set up the permissions so that they fall into this category
The file MUST NOT be writable by the httpd process.
The file MUST be readable by the httpd process.
The file should not be readable by anyone except the httpd process.
The file should not be writable by anyone.
Please help. Any suggestion is appreciated
Thank you
First you have to figure out which user and group your web server (Apache/nginx/etc) are running under.
If you're using Apache, you should be able to check by running:
grep -E '^(User|Group)' /etc/apache2/apache2.conf
In Ubuntu, it's common for both user and group to be www-data.
Once you know that, you should be able to change the file's ownership like:
chown [webserveruser]:[webservergroup] /var/www/racktables/inc/secret.php
Example:
chown www-data:www-data /var/www/racktables/inc/secret.php
Keep the chmod the same as you had before.
This should mean it's readable by the www-data user and only the www-data user, writable by nobody (including www-data), which should mean all four of your conditions.
This is driving me insane. httpd runs as the user apache. I have two directories within /var/www/html -- uploads and photos. Both have group:owner of apache:apache. Both are 755. uploads is writable from php -- photos is not.
Some test code:
var_dump(touch('/var/www/html/photos/_test.log'));
var_dump(touch('/var/www/html/uploads/_test.log'));
var_dump(touch('/var/www/html/uploadsasdf/_test.log'));
And results:
Warning: touch(): Unable to create file /var/www/html/photos/_test.log because Permission denied in /var/www/html/test.php on line 2
bool(false)
bool(true)
Warning: touch(): Unable to create file /var/www/html/uploadsasdf/_test.log because Permission denied in /var/www/html/test.php on line 4
bool(false)
I've confirmed permissions through a shell and GUI interface. I've chowned and chmoded everything again just to be sure. I've renamed the uploads directory to something else and renamed photos to uploads to see if the name of the directory was the key here, but it wasn't. It's the directory itself. The renamed uploads still works with a new name, and the photos directory that is now called "uploads" does not.
Of note, _test.log does not exist in the folders before testing, so it's not like that file has bad permissions or anything.
Interestingly, if I create a new directory, chown it to apache:apache, chmod it to 777, I can't write to it, so something larger may be wrong here; but the question remains: why then does the uploads directory work?
Has anyone seen this behavior before? Am I missing something obvious?
Thanks in advance for any help!
Edited to add more info:
exec('whoami')
"apache"
var_dump(posix_getpwuid(fileowner('/var/www/html/')));
var_dump(posix_getpwuid(fileowner('/var/www/html/uploads/')));
var_dump(posix_getpwuid(fileowner('/var/www/html/photos/')));
all "apache"
All have the same fileperms() value. However, is_writable() is false on all but "uploads".
mkdir('var/www/html/test');
Warning: mkdir(): Permission denied
ls-alF
drwxr-xr-x. 2 apache apache 286720 Nov 22 15:17 photos/
drwxr-xr-x. 2 apache apache 81920 Nov 22 12:06 uploads/
drwxr-xr-x. 2 apache apache 6 Nov 22 10:31 uploadsasdf/
I have called clearstatcache(); I have rebooted the server. What ... on ... Earth?
Since you are using CentOS and and you've tried everything else, my guess would be something related to SELinux. One of the answers from this question may be helpful Forbidden You don't have permission to access on this server. Centos 6 / Laravel 4
Specifically try this to analyze SELinux permissions (ls -lZ) and temporarily disable SELinux:
If you're using CentOS it could be an issue with selinux. Check to see if selinux is enabled with 'sestatus'. If it is enabled, you can check to see if that is the issue (temporarily) using 'sudo setenforce 0'. If apache can serve the site, then you just need to change the context of the files recursively using 'sudo chcon -R -t httpd_sys_content_t' (you can check the existing context using 'ls -Z'.
If selinux is enabled (sestatus will tell you), try sudo restorecon -Rv /var/www/ first. Sounds much like SELinux is getting in the way and you somehow have got a file/directory there which is not labelled correctly. Restorecon will revert labels to default, and -v will show you which labels have been corrected, if any.
Failing that, extended attributes come to mind. do lsattr <filename> and if the output looks anything like ------i-----, the immutable flag is set. Change it with chattr -i <filename> and you're good to go.
I know that there are a lot of similar questions, but just hear me out and if this was a silly question and there was nothing new about it, i'll just delete this question.
I'm trying to upload using php, but I get permission denied. So here's what I did to solve it and didn't work:
first of all, this is localhost, so i can't set the owner of the files to apache, because I won't be able to edit them.
So I got the apache user name in php, and it was www-data
I created a new group called 'localhostowners'
I added my own user to this group
I added www-data to the group
when I run
grep -i 'localhostowners' /etc/group
I get
localhostowners:x:1001:mnvoh,www-data
And then I set the file permissions for everything on the localhost dir to 764
and set the owner with this:
sudo chown -R mnvoh:localhostowners localhostdir
But now I can't execute the php scripts hence the 4. although according to what I know, the 6 should be affecting apache, since I set the group on the files. What am I doing wrong here???
Thanks everybody :)
Test with:
sudo chown -R mnvoh:localhostowners localhostdir
sudo chmod 764 -R localhostdir
-R: recursivity
First you should check the permission the file
ls -a
or
ll
and make sure the person who want to execute the file have X permission.
-user-group-other
-rwx rwx rwx