In CI user guide there is such line:
You'll need a destination folder for your uploaded images. Create a
folder at the root of your CodeIgniter installation called uploads and
set its file permissions to 777.
How secure is it when I am developing real web application? For example: social network and I want to upload user's profile pictures. I think I will have privacy problems when user's will want to upload private pictures.
depending on the level of security you want, 777 might not be the best option (it's the simplest). The user the webserver runs as much have rwx to the folder, and if you want to be truly secure, the folder should not be under your webroot.
That means, if the web files are in /home/mysite/ ( eg /home/mysite/index.html maps to http://mydomain.com/index.html ) then the upload folder should be /home/uploads .
You application can use code to access the files via the system path ( /home/uploads ) but noone from the internet can directly access it that way.
Alternatively, if you cannot do the above ( eg because you're on a shared host ) you can use .htaccess (placed in the upload folder) for the same effect, by placing these rules :
Deny from all
Options None
Options +FollowSymLinks
( note that again, your app will need to use the system path, since Apache wont be able to serve these files directly ).
You could also use .htaccess to deny access to folders except those that you permit. At least I did same with mine and directories that are not listed for access in the .htaccess are not available to users.
Another safe way is to use a folder outside /public_html/
Directories outside this folder can hardly be accessed externally.
Related
I'd like to know how i can go about denying direct web access to configuration files of application whilst allowing php to access them.
I know most answers would suggest to put the includes outside the public_html directory. But I really don't think it's that efficient.
Thanks.
PHP just uses the file system to access files where web users usually go through apache and that verifies a .htaccess file. So just place that file that contains deny from all into that directory and voilla.
I have a server hosted by Altervista. Now since I don't want a file that I manage to be accessed by visitors, I wanted to put it outside of the root directory. I thought /var/www/ would work but it doesn't, or maybe I can't access at it.
Do you know how I can avoid users to access this file?
You could protect files in a subdirectory of your /var/www with a password via .htaccess and .htpasswd files in the subdirectory (procedure described here https://davidwalsh.name/password-protect-directory-using-htaccess, e.g.).
TL:DR Will permission 444 on a folder restrict access for a web user and browser?
I have a webserver with a root catalog that is accessible from the web. I can't access any folders higher up in the hiearchy, I only have control of the root folder and down.
Lets say I have the following folder structure:
includes
includes\database.php
admin
admin\index.php
I want the includes folder to follow these rules:
Accessible from within the server, so "admin/index.php" can include "includes/database.php"
Accessible via FTP, so I can access and edit the folder and files.
NOT Accessible by a user from the web.
Can I solve this by setting "includes" and all subfolders/files with permission 444? If so, is there a known way to bypass this access-rule or is it safe to use?
If you want to keep assets safe from web access you need to move them outside of your web root. Typically one level below your web root is used. This way they are still accessible via FTP and your code but not to web requests.
I think this question should be something easy but after searching all over the web I couldnt find an answer, so I decided to ask here.
I have a file uploader in my website that works with php. The folder where files are being uploaded has 777 chmod. I also have a php script to list the files in that folder. What I need is to allow php to upload and browse files on that folder, but dont allow people to do it. The only solution I imagined is to chown that folder to another user different than default, so I could later chmod in filezilla and allow only owner to do it, so people will see the files trough the output of the php script, but not if they navigate to that folder.
Im using Debian, apache2. Id like to know what could I do.
To make it shor, my aim: allow php to upload, read, write and execute files in that folder, but not clients unless they use my php script.
Thanks in advance
Put all the files you're talking about in their own directory. Add a .htaccess file to that directory. The contents of the .htaccess should be deny from all.
This will prevent any user from manually accessing the files as access will be blocked off. Your PHP script can still browse the contents of the file and serve it up as an attachment with the correct content type.
For more info on how to serve a file for download in PHP, read this: https://serverfault.com/questions/316814/php-serve-a-file-for-download-without-providing-the-direct-link
All services including web servers run in a security context which is an account in the OS, for example apache starts using apache user in apache group. It is enough to change mode and change owner to this user and group. Never chmod a directory to 777 until there is a good explanation for that. Using this trick, web service process only can read, write and execute in that directory.
As well, if you want the browser clients not to see(read) the contents of that directory, you should deny listing on that directory. I think it is disabled for default.
I have a folder named upload which is filled with folders of users uploaded files.
Is there any way I can stop people from directly downloading my users files by simply typing the folder names and file name into the address bar?
Example: user Jim's folder is stored at HOST/uploads/jim
user Jim's important file "myimportantfile.txt" is stored at HOST/uploads/jim/myimportantfile.txt
Now, if just anyone types into the address bar: www.HOST.com/uploads/jim/myimportantfile.txt , they will be able to view Jim's important file.
How can I stop this from happening?
Can I write certain attributes when making the directories?
You don't want to have those files in a web-accessible folder. Move them out of the webroot.
Once you do this, you can have a file like download.php to which you pass a file ID and it can then validate it is in fact Jim asking for his files and only then fetch the file and output it to the browser as an attachment. This is the safest/best way for security.
I belive file permissions of a directory +w-r+x will alow directory writes but not reads. In geeky unix terms this is %chmod 733 dirname. The directory ownership would have to be set properly using chown and chgroup. This applies to a unix environment.
You could use an .htaccess file to require a username and password to be entered making each folder a protected folder.
But I think the best way to do it would be to move the uploads folder outside of the webroot so that it's not directly accessible, and then create a script (PHP, ASP, etc) that serves up the requested file after authenticating the user.
The simplest solution is to just add an index.htm file to the folder.
Any visitors will then see this page rather than the index of files.
The page can be blank, or even better, redirect to the domain home page with a redirect.
Sure, you can use basic file/directory permissions in Linux. You can also set the entire tree to be denied by apache.
What platform / webserver software are you running?
Okay, linux:
If the owner of the directory is 'joe', and the group is 'apache', then:
chmod 750 joe
This would give the directory 'joe' permissions which allow the owner (joe) full access, the group (apache) write access (and the ability to enter the directory), and nothing else.
Is this an FTP drop-box?
What are the ownerships/groups like now?