I have created a custom CMS with PHP and it uploads files to a directory with 777 permissions on it. When the files are uploaded they are given 600 with apache being the owner, therefore I can't download them through FTP as the main FTP user.
Anybody have any ideas? I have tried changing the permission but don't have rights due to the owner being apache.
You cant chmod the files, but 'apache' can: after uploading an moving the file,change the permissions in the same script. As it is run by apache, it is allowed to do so.
http://php.net/manual/en/function.chmod.php
For uploading files it is important to note that uploading files without explicitly setting permissions after is a bad practice.
I would take the link Nanne provided and begin to add that to your upload script. This will ensure that the files are given the appropriate permissions for each situation you will need them.
Related
When I upload files through my cpanels file manager all my php file permissions are being changed to 0666 from what I read this is not secure + it is causing my WordPress to not function correctly. Normally web hosts have the permissions set to 0644 when uploading files. It would takes ages for me to change all files manually from 0666 to 0644. How can I change the permissions when I upload in cpanel? Should I try ftp and see if that makes a difference?
EDIT
When I upload the zip file it uploads as 0644 than when I extract the files inside are all turned into 0666.
Thanks
There is no need for you to re-upload all files to simply change permission for them.
Use your FTP client to change file permissions for files, directories and sub-directories.
You can do this via command-line SSH (if you have access).
My site is on a shared hosting. I've been using FTP and PHP File Manager to upload and delete files. Recently I've found a file I couldn't delete due to permissions, neither in PHPFM nor in FTP. So I've used DirectAdmin (the only option for my plan) to reset all permissions. Then I set all permissions for all files in public_html and subfolders to 777 recursively. I know only that it allows me to do more than any other permission variant.
Now the site is running in a static way, I can open PHP File Manager and it has no permission to upload files. I can upload files in DirectAdmin, however, but that feels unsafe. PHP File Manager reads: 'I/O error'. The directories look like this:
What do 1422 and 1420 mean? What can I do to upload files again? Thank you for the help.
1422 is the user_id the file belongs to and 1420 the group_id it belongs to.
Linux has a permission system, where you can give special permissions to the owner, your group and everyone else.
Permission 777 means everybody can read/write/execute, your group (1420) can read/write/execute and you (user 1422) can read/write/execute the file.
Permissions:
1 is execute file or open directory
2 is write
4 is read
Read/write permission is 2+4=6, read/execute (or open a directory) is 1+4=5
The three numbers represents [owner][group][everybody], so setting a file to 644 means user can read/write and everybody else just read a file.
Edit: The safe thing is to set all files to 644 and directories to 755. Private files should be 600 and executable files 755 (PHP files are NOT executable).
Apache is run as user apache or httpd, which is another user, therefore you must give "everybody" permission to read your PHP files and directories.
Edit2: If you need PHP to upload files, it is really done as user apache/httpd. Therefore you need to give full privileges to "everybody" to open directories and read/write 777. The file permissions should be 666.
I have web server which allows for image uploading. When the user uploads an image, it uploads onto the server but when try to access the file using the browser from other pages it is giving me:
403 forbidden
What kind of permissions should the files have for accessing the images publicly?
i think the permission code you want to change it to is 0644
Here's how to change the permission of a file with php.
chmod()
At least, for reading =). That will be chmod('0644') in PHP.
Make sure, that directory, where image files are placed, also is accessible for reading, thus both access rights and .htaccess settings grants reading access..
Try 3-digit chmod 664 command. The last digit sets the permission for class 'others', which basically encloses all your client-side users. 4 stands for read-only.
I have an image upload script. I ran into some trouble with permission errors so for the last little while the upload directory has had permissions 0777. Dangerous, I know.
For some reason, it was the only permission that would allow the files to upload. I have now realised that the reason a safer permission didn't work was because of the owner of the directory.
I've been creating my upload directories using FTP. I thought this would be okay. But from what I understand FTP and HTTP aren't in the same group?
I've started creating the directories using PHPs mkdir() allows me to set a safer permission that works with my script.
But before I possibly get into another bad habit. Can someone please confirm that this is the correct way to do it? Is there a better way?
The owner of the directory should be the user which runs your PHP script - on Ubuntu this would be www-data. Shortly, creating folders with PHP mkdir() is okay. Then you should set permissions. 0700 is the most secure but if other user needs to read from or write to this directory, you should add this user to the main group of user which runs your PHP script and set permissions to 0750 or 0770 respectively. On Ubuntu this group is also www-data.
I just started working with uploading files via php.
From my understanding you need to set the properties of the folder to 777 so anyone can upload to that location.
That's fine and i only obviously keep information there that is not sensitive, its basically images which are displayed back to the public.
However can someone not just run a delete statement if they know the image name to my server folder or is that only possible if the php file is on my server?
i.e delete myimage.png
Basically my question is other than the normal security precautions like limiting the upload of only .png, using basename etc do i need to take additional security measures to prevent someone deleting files in that folder or can that only be done from a script on my webserver?
I wont be using any post methods to delete images or anything like that but i'm just not sure if its possible to take advantage of a folder with 777 permission and do unauthorized stuff since i gave full access to the folder.
By 777 you're actually giving the read/write/execute access to all the user of the machine where your server lives. Note that this does not mean even website visitors can read/write/execute directly. Its always your webserver (Apache) that does it.
However can someone not just run a delete statement if they know the image name to my server folder or is that only possible if the php file is on my server
If you're PHP scripts have holes then, yes. If your webserver has holes then, yes :)
do i need additional protection on a 777 folder
Yes, you can do with a more restrictive permission. Make the owner of the public upload folder to be apache (mostly www-data), set permissions of just 755, or may be 775 in case even the group wants to write to it.
you can change folder permission 777 to 755 or 744.