SitePoint Sponsor

User Tag List

Results 1 to 13 of 13
  1. #1
    SitePoint Enthusiast
    Join Date
    Apr 2003
    Location
    Montgomery, TX
    Posts
    59
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Exclamation Uploading files - Directory Security

    Hello all,

    I'm allowing logged in users to upload photos to a specific directory. The directory has 777 access rights. How much of a security risk is it to have a directory with 777 rights? I'm worried about someone being able to put something malicious in there.

    Thanks for the input.

    David

  2. #2
    SitePoint Addict Ramiro S's Avatar
    Join Date
    May 2003
    Posts
    321
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Make sure the files they are uploading are .gif, jpg ... picture extensions... dont let them upload php, asp files etc because with chmod 777 they can execute it and try some things.
    Quasar - Web Development - Free Avatars

  3. #3
    SitePoint Enthusiast
    Join Date
    Apr 2003
    Location
    Montgomery, TX
    Posts
    59
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ramiro,

    Thanks for the reply. In my script, I am limiting to .jpg and .gif, but I was worried about people getting access from outside of my script. I guess if a hacker wants to get access, they can do it whether it's 777 or not, correct?

    Thanks,

    David

  4. #4
    SitePoint Zealot LiamW's Avatar
    Join Date
    Mar 2003
    Location
    Hamilton, Ontario
    Posts
    129
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What you might want to do is have php chmod the folder 777, upload the files, then chmod the folder back to something safe.

  5. #5
    SitePoint Enthusiast
    Join Date
    Apr 2003
    Location
    Montgomery, TX
    Posts
    59
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Liam,

    That's a great idea, I'll try that.

  6. #6
    SitePoint Guru
    Join Date
    Aug 2001
    Location
    Amsterdam
    Posts
    788
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hmm .. I always understood that the folder might be on level 777 but the files you upload standard have a lower level (at least on Linux that is..)

    All depending on the security mask...
    the neigbours (free) WIFI makes it just a little more fun

  7. #7
    SitePoint Enthusiast
    Join Date
    Apr 2003
    Location
    Montgomery, TX
    Posts
    59
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Liam,

    I tried to do chmod ("path", 0777);, but I get an error:

    "Warning: chmod() [function.chmod]: Operation not permitted in myphpfile.php line 99"

  8. #8
    SitePoint Guru
    Join Date
    Aug 2001
    Location
    Amsterdam
    Posts
    788
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dkroll
    Liam,

    I tried to do chmod ("path", 0777);, but I get an error:

    "Warning: chmod() [function.chmod]: Operation not permitted in myphpfile.php line 99"
    Sounds like a problem I had ...

    In Linux your php daemon isn't always the same (nor in the same group) as the ftp daemon ...

    This is why if you have a script do actions on files and dirs the rights have to be set at 777 or the folder needs to be created using the php-daemon

    complex... lets i.e.

    i logged on to the server using ftp and created folder x this makes the user running ftp the owner of the folder ...

    If I have php and let that create a folder y then the daemon running php will be the owner for folder y and I won't be able to control the properties nor delete it using ftp...

    wanna set the chmod using ftp functions??
    PHP Code:
       // set up basic connection
       
    $conn_id ftp_connect($ftpadres); 
       
    // login with username and password
       
    $login_result ftp_login($conn_id$ftplogin$ftppassword);
     
    // php(ftp) command for chmod
    ftp_site($conn_id"chmod 777 $target"); 
    I hope it helps ...
    the neigbours (free) WIFI makes it just a little more fun

  9. #9
    SitePoint Enthusiast
    Join Date
    Apr 2003
    Location
    Montgomery, TX
    Posts
    59
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I deleted the directory and did a mkdir using PHP. Then I uploaded a file to that directory, but I can't delete it in FTP, I assume that I'll have to use PHP to delete the file now. I wonder if the FTP route you described would be easier.

  10. #10
    SitePoint Guru
    Join Date
    Aug 2001
    Location
    Amsterdam
    Posts
    788
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dkroll
    I deleted the directory and did a mkdir using PHP. Then I uploaded a file to that directory, but I can't delete it in FTP, I assume that I'll have to use PHP to delete the file now. I wonder if the FTP route you described would be easier.
    I had precisly the same struggle and I decided to use ONLY FTP in creating folders and then using PHP for everything else...

    The reason why is that I didn't wanna use a filemanager in PHP ..

    And since PHP can do FTP and otherway around isn't possible I decided to go for the FTP option...

    Hey sometimes live is just not perfect
    the neigbours (free) WIFI makes it just a little more fun

  11. #11
    SitePoint Enthusiast
    Join Date
    Apr 2003
    Location
    Montgomery, TX
    Posts
    59
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    But then I have to upload the file through ftp and delete it through ftp, correct?

  12. #12
    SitePoint Guru
    Join Date
    Aug 2001
    Location
    Amsterdam
    Posts
    788
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No not correct ... I use PHP all the time to upload and delete files... But thats the way my system works ... the php daemon has more rights than the ftp user ...

    Get in contact with your host to figure this out or just try...
    the neigbours (free) WIFI makes it just a little more fun

  13. #13
    SitePoint Enthusiast
    Join Date
    Apr 2003
    Location
    Montgomery, TX
    Posts
    59
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I haven't tried to delete with php yet, but I did get my upload script working with ftp, it works quite well.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •