I am building a web page with Apache2.2, PHP5.2.2 on a Windows XP computer in a localhost configuration. I'm developing app/pages/submitProcessor.php to validate photo uploads from users. It validates file existance, size, mime type, drops unwanted characters, assigns a new file name, and uses move_uploaded_file() to store the file in app/uploads. I read in PHP - Question about uploading & uploaded image file that this photo storage file should be write only from app/pages/submitProcessor.php and it would be nice if it were read only from code within app/pages.
I've read a lot of info, and being pretty new to this, I still don't understand how to set read/write permissions in Windows XP in something resembling my configuration. I'm completely confused by 777, 775, 755, php.ini vs httpd.config and linux vs Windows. I'm also not comfortable with command line stuff, and would prefer to edit the appropriate file, if that is possible. How do I configure Apache so any file in app/uploads will not be executable, will write only from app/pages/submitProcessor.php, and read from app/pages/display or others in app/pages . . . or at least I'd like to get close to that. Not executable in the app/upload directory is pretty important to me.
If you are running Apache as a Service (the default setup for stand-alone & WAMP Apache installations), then that Apache Service is running under Windows' LocalSystem account.
This Windows account already has full read and write ('777') permissions on most local paths.
So when you read instructions to chmod 777 this, chmod 755 that, etc, ... you can ignore those parts of the instructions. Apache already can read-from and writeout-to those directories (unless it's a UNC path of a networked drive).
Setting File Permissions with chmod on Windows for Apache and PHP
I'm not 100% positive if that was the account on Windows XP (it is on Vista and up), but the behavior was the same.
In Windows, access to directories/folders is set by right clicking the directory, and reading through the selections provided by the various tabs to set access and specific uses of the directory. Its not as fine-grained as CHMOD, but it was good enough for my purposes at the moment.
Related
I used to have a Windows OS server where i uploaded some old php web files to it. I could then access them, edit them, and view them online via my host name.
After much debating and reasoning, we had to change the OS of the server from Windows to Linux. After the change had been completed, a backup of the server was uploaded to the new Linux installation where all my old files were kept.
I could view these files online as I used to do when the server had windows OS.
The only thing I did encounter was the following:
a) I downloaded my files from the server using putty,
b) I deleted the old copy in my Linux server,
c) I then re-uploaded the same file that used to be in the server without making absolutely no change whatsoever to it, to the exact place where it was,
d) When I try to access it via its web address like I did earlier, it throws an error message saying..."The page isn't working".
I don't know much about Linux and there fore I am stuck. I don't know what the problem is. I can't understand why I can view all the files via their web address if they were placed there from the backup, but when I download them, delete their file from the server and then re-upload the exact same downloaded file to the exact place where it used to work, I get an error message.
Extra info: I connect to this Linux server from a windows OS machine using putty.
I found the problem. Since I migrated from a Windows OS server to a Linux Cent OS server, I didn't know that you had to configure the privileges of each folder in order to be accessed from the web. By default, my uploaded files where tagged by ownership of "user". The server was configured to only display files that were tagged by ownership of "root". The way I solved this was by typing the following command in the terminal.
NOTE: "You have to be in the folder where the file you are going to change ownership is."
sudo chown root:root filename.php
sudo -> Execute in admin mode
chown -> Change ownership of file to...
root:root -> ... root instead of user
filename.php -> the name of my file
Executing this corrected the error. Hope it helps someone else since I coudn't find anything related.
copy() function does not work in web browsers, but it works with CLI environment!!
I already checked the file permission and /etc/php5/apache2/php.ini file to check whether copy() is listed on the disable_functions. But it is not listed there :(
My os is debian by the way.
Thanks~ :)
You need to make sure that the files your moving are accessible by the user running the Apache application.
Apache usually runs as www-data:www-data, changing the file to 777 permissions (chmod 777 filename). Also ensure that the directory permissions allow access as well.
You shouldn't leave the permissions as 777 as this leaves the system open to all sorts of abuse. There is some very good documentation and very lengthy details about this here
I want to to read and write some data to text files from my PHP app. Its a small amount of data. Really just configurations.
My concern is that I have no control over the deployment environment. It will be a mixed bag of servers, mac and windows. They will all be running PHP5.3 and greater. The mac servers will have apache, and the windows servers will be running IIS.
I don't want customers calling with issues related to server setup and or permissions on files/folders.
I am pretty sure that WordPress does this all the time so, I know this is possible to do cleanly. The questions is how? Does anyone have any suggestions, pointers to libraries, or strategies that will help me accomplish my goal.
I ruled out sqlLite for this purpose, because i don't think it is enabled by default on windows and I think it is no longer installed on php5.4 windows by default. My main goal is to be able to persist a small amount of data in such a way that does drive my support costs through the rough the roof.
The way all common big PHP projects do it afaik is simply by reserving a folder for it, and checking its permissions on install.
You could easily make a /gen or /data folder in your webroot, and on install/update check that it:
contains a .htaccess file stating deny from all if the webserver is Apache, or an equivalent method of protection (just file_get_contents via the public URL to test) on other webservers
is_writable (you could also write, read and delete a small sample file to ensure this)
Put your documents in there and it's safe and portable on every platform.
Some sample code:
$docroot = $_SERVER['DOCUMENT_ROOT'];
$dataroot = $docroot.'/data';
$testfile = $dataroot.'/test.txt';
$publicURL = $youHaveThisSomewhere.'/data/test.txt';
if(!is_dir($dataroot))
die("The required data folder is not present at $dataroot");
if(!is_writable($dataroot) || file_put_contents($testfile, 'test') === FALSE)
die("Data path ($dataroot) is not writable, make it so!");
if(file_get_contents($publicURL) !== FALSE)
die("Data path is publicly accessible, go fix it!");
if(!unlink($testfile))
die("I also need delete rights in the data folder!");
die("Installation successful!");
Yeah, but even with Wordpress you have to worry about making certain files and directories writable (chmod, windows file permissions, etc).
And if I'm not mistaking Joomla/Wordpress (one of them at least) also give you the opportunity to enter FTP credentials, so rather than editing the file through the filesystem, it will try to upload the edited version through the FTP server.
What you simply could do is have a config file that must be edited in a text editor. And have the text-file read only for the webserver / application. But then changing one of these setting cannot be done through the website itsself, but needs a person to edit the text file in a text editor.
If you are already using a database, then ONLY the database-settings would have to be in the config file. The rest can be stored in the database.
I think the option you may be looking for involves the following steps:
Create an install file in this install script file:
See if directory is writable
If not ask for FTP credentials
Determine the system type Windows or *Nix bassed
Establish an FTP connection
*nix variants send a CHMOD command Windows send a CACLS command to make the directory writable
Terminate the FTP command
I have a CodeIgniter app running in production on Apache 2.2 with PHP 5.3 on Ubuntu 11.10. I am also running PHP5-APC, if that matters. So the app runs as www-data:www-data per the default Apache2 install.
I am trying to figure out what to set my file permission to. Many threads on SO seem to prefer 755 for directories and 644 for files. There is one directory that must allow files to be uploaded to it.
Currently my deployment script does something like this:
wipe old site
copy new site over
chmod -R 000 on the new site
chmod all directories to 500
chmod all files to 400
chmod 700 on the upload directory
Everything seems to work fine. I can upload files and so on.. so, I don't understand why people suggest 644 for files - I have a config file that has passwords and API keys - why would I want 'others' to have read-access to it?
What am I misunderstanding?
Well, mainly the 644 permission is meant for when you have /var/www/site1.com with different user and group set then www-data, because then the 644 would allow other groups and users to read from that file, but will allow to read and write the owner of the file.
As by default the user that uploads files and runs apache's processes is www-data then I honestly think that if it works for you and you have no issues, it's great because means a little more security.
Update
Just a small security issue, is that www-data has become a very common user and group for http services to run their processes. I would much recommend that each site/app have their own user and group.
*44 and *55 just means that the file/folder is readable by others.
This would be good if say, you uploaded files to the web server but they for some reason were owned by someone else (say your own login account), then apache could still read them and it'd be "no fuss". Or if you needed multiple groups to be able to access the files.
If you know you are uploading the files as the apache user, and apache (or whichever programs run under www-data) are all you need to be able to read/write the files, then *00 is completely fine. It can even be argued that it's a little more secure.
For people who don't know what they're doing on the linux command line, 644 and 755 are about the right mix between "convenient" and "safe" (completely debatable, though), so they are what is recommended for a quick fix.
When doing shared hosting, you have user accounts that upload php files via FTP. So, when user "joe" uploads his .php file, it is owned by "joe" and when Apache needs to read it to execute the script, it cannot. Users are usually in "users" group, so even giving privilege to the group would not be enough. That's why you need to give privilege to everyone, so that user "www-data" can read the file uploaded by "joe".
If you run your own server, than of course, you have full control and none of this matters.
I have 4 drives in my (yes, physically in the box, sata connected) Ubuntu 10.10 system with xampp installed at the /opt/lampp/ dir on the OS drive. The OS drive (ssd, lets call it drive1 for sanity) has the correct file permissions to allow for PHP (user www-data) to read/write to any of my htdocs and vhosts folder(s).
My problem comes with I try to move a file that exists on one of the other 3 drives. Each of my other drives are ntfs (1tb, 1.5tb and 2.0tb) and mounted with fstab. When I view the file permissions with the gui (nautilus) it says that everything is root. So I tried chown, chmod, etc. I found out that you can't change the permissions of ntfs with those commands. So I went to my fstab config, however I can't get those permissions set to allow for PHP to copy/rename/move a file within even one of the drives.
I updated to using the UUID's today, the drives are also shared on my local network and that still works just fine.
I changed to the ntfs-3g driver after installing, restarted the machine but I'm still not able to have php move a file.
Here is my fstab file:
UUID=552A7C6B05CEAAD2 /media/v1tb ntfs-3g defaults,uid=1000 0 0
UUID=DE58539158536775 /media/v1.5tb ntfs-3g defaults,uid=1000 0 0
UUID=3D80C54D5D100280 /media/v2.0tb ntfs-3g defaults,uid=1000 0 0
Also, I tried to use the following and its working just fine:
sudo -u www-data cp '/media/v2.0tb/path/to/file' '/media/v2.0tb/path/to/newfile'
How does imitating a user work, but php's rename/copy functions won't work?
How can I set the php user (www-data) to allow for copying/renaming/deleting files and directories on these ntfs drives? Do I have to reformat them?
Depends on the actual ntfs driver used. For ntfs-3g you can use the uid= and gid= params in the fstab. There is also a usermapping= feature that might be of interest. See also the manpage
If anybody gets a problem like this, sometimes it could be that the permissions on previous directories could affect the access to a directory.
For example, on Ubuntu 12.10, you have the partitions on /media, as many other Ubuntu versions. But on this version, you could have another directory where your partitions, especially the NTFS and external drives, will be located, and is /media/YOUR_USER_NAME. To solve the access to my external hard drive, concretely using PHP, I had to change permissions at /media/MY_USER_NAME, first, and then at /media/MY_USER_NAME/MY_EXTERNAL_DRIVE.
These are the commands used:
sudo chown MY_USER_NAME MY_USER_NAME/
sudo chown MY_USER_NAME MY_USER_NAME/MY_EXTERNAL_DRIVE/
and
sudo mount -t ntfs -o rw,uid=1000,gid=1000,fmask=000,dmask=000 /dev/sdb1 /media/MY_USER_NAME/MY_EXTERNAL_DRIVE
The first and the second one, is to change the Owner of the directory, and the third one, to mount the NTFS drive with the correct permissions.
I've thought this could be usefull to somebody, cause I've spent several hours after I realized that it could be that I couldn't access to previous directories.