I have some php scripts that need to move, create and delete files and folders. Unless I CHMOD the folders to 777 the php scripts die with errors about permissions. CHMOD'ing the folders to 777 fixes the problem, but after a lot of reading I'm still confused as to whether it's OK to do or not.
I've read that it can be dangerous on shared hosting, but my question is, is it safe to do on a VPS?
VPS or not it does not really matter. Chmod 777 means you are giving anyone (any user, incl. system daemons) all permissions possible (which includes read, write and execute) to given file or directory. if you are the only user on the machine, then it reduces the risk (still, if anyone break in, then he would still be able to mess using hacked daemon's user id). Additionally, if there're other user accounts on that VPS, setting 777 lets them put their content into files with said permission (or launch them). Will they do that - who knows. They might, just because they can due to 777. In general, rule of the thumb should be give as much permissions as really needed, and nothing beyond that.
Related
If you have a website, and have different files doing different things, how should you chmod each file?
For example:
A CSS file which controls the layout of the HTML home page. How should I chmod that?
A JS file with functions that give interactivity to the website. How should I chmod that?
And a PHP file which communicates and changes the website's content from the server. How should I chmod that?
I understand how the chmod function works, but I don't understand what files you should chmod in what way. HELP! :D
You should give 750 to PHP file.
For CSS and JS file 644 would be sufficient.
All directories should have 755 permission and all files(php, js, html) should have 644 permission.
As long as the webserver (and all other relevant processes) can access and modify everything it needs to in order to function, you're fine. It needs to be able to read all files it tries to access, and write into directories that it wants to upload files.
I use comprehensive ACLs in order to manage that logically on shared hardware.
$ man setfacl
Unless you have a reason not to (such as multiple users editing files, or you are using webserver-generated directory listings), I always use 711 permissions on all directories. Apache is quite happy with this.
This stops local users from seeing what files you have in there (such as, say, notes, info or config files), and can offer some protection if other settings are misconfigured (+Indexes is turned on, say) or if you don't have the ability to change such settings.
Also, this setting follows the principle of setting minimum required access. (Your mileage may vary on some web apps which need directories to be explicitly readable, but I haven't come across this.)
I'm most interested in flatpress, since that is the one I'm currently working with. All i had to do with it was remove its 'read-only' status in windows 7. I have zero understanding of what 666 or 777 permissions are. If you have insight into other setups I wouldn't mind knowing that also. I'd really appreciate an indication of specific functions or lines of code that create the file. Would they have to be .txt files?
First thing to be able to create, read or delete files and folders the user that is running the PHP process must have permission to do so.
I recommend you to read and understand the concept of ACL´s - Access Control List.
DOS had a simple and dangerous set of permissions, thats the main reason antiviruses exists: it was too easy to screw up DOS based systems, you won´t need a even a virus, with some time and use the system get corrupted, because actions of any program can compromise important parts of the system.
Depending on the OS, permissions scheme can be different, but let´s talk about Unix-like simple permissions. Windows NT(any version after Windows XP) also implement ACL´s.
When you see 666, 777, 755, 644 this means:
0 --- no permission
1 --x execute
2 -w- write
3 -wx write and execute
4 r-- read
5 r-x read and execute
6 rw- read and write
7 rwx read, write and execute
And its a set for: UGO = User, Group, Other, so 644 = User read and write, Group read, Other read.
So users can belong to groups and files and folders are properties of users and groups.
Also you can now imagine the concept of a super user, that can do anything, we can that "root" user on unix and "administrator" on windows liek systems.
Wikipedia is to straight, so I recommend the reading of Understanding Permissions
Good study!
I'm trying to debug a strange file permission issue involving php, and have exhausted the obvious problems. Note that I'm not experienced with php, so it might be something dead-obvious.
I want the user to be able to create a folder and files via a web interface, and to be able to work with those files from a separate user account on the server for some backend work. The problem is that the created folders and files have no write or execute permissions for other users.
I don't have a lot of knowledge in this area, so my best hacky try was to see if explicitly passing 0777, even though it's the default, to the relevant mkdir fixed it. And also to every other mkdir call. And every chmod call.
As far as I can tell, the folder and files SHOULD be created with the right permissions. Does anyone know reasons the permissions might differ from what I naively expect?
if this is UNIX you need to check the UMASK for the web server user, if this is windows, it ignores the permissions.
http://us.php.net/umask
I need a directory with 777 permissions in my webserver; anyway, I would like to protect it by placing it outside the public_html directory. Is this safe enough? A php script will be able to access that directory?
Thank you for your help.
—Albe
So long as your php scripts are sufficiently secure from users trying to break them with SQL injection (amongst others), placing the directory outside the web root is definitely safe to prevent others directly accessing the contents. And yes, php can still access the files, if given an appropriate path to that directory.
yes, the other php scripts can still access that directory, but it will not be reachable over the web.
set the correct owner/group as well,
if you set it to be the owner of the php process a 700 should be working just as well.
David's way is the easiest, but you could also try;
placing a .htacces file in your folder
changing the permissions to 700 (or 750, if you have to be able to edit it with the group)
starting filenames in the directory with a dot (though this is easy to screw up, so you may want to avoid it)
If David's way works, I'd prefer that, but in case you have some weird extra restrictions, these ways MAY work.
Alright, so I have a problem. I need to create a folder to store compiled templates in php. I have an install script that tries to mkdir() an appropriate directory (compiled_templates).
Invariably it returns this warning.
Warning: mkdir() [function.mkdir]: Permission denied in /home/tchalvak/sites/quotesite/quotes/install.php on line 92
Running changing the mode of the folder that the compiled_template folder will be created within also errors out on the same permissions problem.
Is there no way to assure that you can create what amounts to a storage folder via php? You have to use an outside-php program just to ensure that a folder is created? How do other php developers deal with this issue?
Edit: This is an installable script, so the overall objective is to allow 10 different random people to install the script on their server. This is why "making sure that php has all these great necessary write permissions to the compiled_templates directory" isn't practical as a manual process, unfortunately.
Edit: Damn, same permission error when just trying to create a temp directory as well. Lame.
If it's a temporary directory, create the directory in the system temp dir.
mkdir(sys_get_temp_dir() . 'example');
The general approach though is to simply ensure the user PHP is run as (e.g. apache) has write permissions where necessary.
I agree with putting the dir in tmp. To answer the more general question about dealing with this in installer script in general... You should set the perms up on the web root before you run the script and also make sure the perms are correct on any dirs within your package. With that said i generally try to avoid web installers and instead write installers for the CLI version of php. Of course you need ssh access on the box to do that but for me at least its very rarely the case that i dont.
Normally we set up the system to have the appropriate permissions, if that isn't an option your script should fail with a nice descriptive error message and possible solution.
Since you mentioned that you want a temp folder maybe the tmpfile(), tempnam() and sys_get_temp_dir() functions may be useful for you.
If using the system temp directory won't suit you, I've seen creative installers that ask for FTP credentials, and then use FTP to create directories and set permissions.
This may, however, be a bit too clever for it's own good.