Uploading files - Directory Security

[dkroll]

Hello all,

I'm allowing logged in users to upload photos to a specific directory. The directory has 777 access rights. How much of a security risk is it to have a directory with 777 rights? I'm worried about someone being able to put something malicious in there.

Thanks for the input.

David

[Ramiro S]

Make sure the files they are uploading are .gif, jpg ... picture extensions... dont let them upload php, asp files etc because with chmod 777 they can execute it and try some things.

[dkroll]

Ramiro,

Thanks for the reply. In my script, I am limiting to .jpg and .gif, but I was worried about people getting access from outside of my script. I guess if a hacker wants to get access, they can do it whether it's 777 or not, correct?

Thanks,

David

[LiamW]

What you might want to do is have php chmod the folder 777, upload the files, then chmod the folder back to something safe.

[dkroll]

Liam,

That's a great idea, I'll try that.

[peanuts]

hmm .. I always understood that the folder might be on level 777 but the files you upload standard have a lower level (at least on Linux that is..)

All depending on the security mask...

[dkroll]

Liam,

I tried to do chmod ("path", 0777);, but I get an error:

"Warning: chmod() [function.chmod]: Operation not permitted in myphpfile.php line 99"

[peanuts]

Liam,

I tried to do chmod ("path", 0777);, but I get an error:

"Warning: chmod() [function.chmod]: Operation not permitted in myphpfile.php line 99"

Sounds like a problem I had ...

In Linux your php daemon isn't always the same (nor in the same group) as the ftp daemon ...

This is why if you have a script do actions on files and dirs the rights have to be set at 777 or the folder needs to be created using the php-daemon

complex... lets i.e.

i logged on to the server using ftp and created folder x this makes the user running ftp the owner of the folder ...

If I have php and let that create a folder y then the daemon running php will be the owner for folder y and I won't be able to control the properties nor delete it using ftp...

wanna set the chmod using ftp functions??

PHP Code:

   // set up basic connection
   $conn_id = ftp_connect($ftpadres); 
   // login with username and password
   $login_result = ftp_login($conn_id, $ftplogin, $ftppassword);
 
// php(ftp) command for chmod
ftp_site($conn_id, "chmod 777 $target"); 


I hope it helps ...

[dkroll]

I deleted the directory and did a mkdir using PHP. Then I uploaded a file to that directory, but I can't delete it in FTP, I assume that I'll have to use PHP to delete the file now. I wonder if the FTP route you described would be easier.

[peanuts]

I deleted the directory and did a mkdir using PHP. Then I uploaded a file to that directory, but I can't delete it in FTP, I assume that I'll have to use PHP to delete the file now. I wonder if the FTP route you described would be easier.

I had precisly the same struggle and I decided to use ONLY FTP in creating folders and then using PHP for everything else...

The reason why is that I didn't wanna use a filemanager in PHP ..

And since PHP can do FTP and otherway around isn't possible I decided to go for the FTP option...

Hey sometimes live is just not perfect

[dkroll]

But then I have to upload the file through ftp and delete it through ftp, correct?

[peanuts]

No not correct ... I use PHP all the time to upload and delete files... But thats the way my system works ... the php daemon has more rights than the ftp user ...

Get in contact with your host to figure this out or just try...

[dkroll]

I haven't tried to delete with php yet, but I did get my upload script working with ftp, it works quite well.