SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Addict
    Join Date
    Feb 2006
    Posts
    313
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    php + linux file upload

    Hi,

    I have a file upload on my developing site. The upload works although I am using a linux server, and it saves it with permissions for owner to read and right only. Is there anyway to change these permissions during the upload.

    I am relatively new to Linux and windows (which i have used in the past) would provide the file with all permissions, well to my knowledge it would.

    Regards
    p_h_p

  2. #2
    SitePoint Zealot detzX's Avatar
    Join Date
    Oct 2006
    Posts
    135
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    http://us.php.net/manual/en/function.chmod.php

    If you want to give all permissions(bad idea) you would do
    chmod("/somedir/somefile", 0777);
    www.invoicejournal.com - Invoice clients for Free

  3. #3
    SitePoint Addict
    Join Date
    Feb 2006
    Posts
    313
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    cheers.

    Can someone advise me please.
    I upload files to a server via php upload. These are stored on the server and accessed now and again and most likely these files are executed to read and not write, e.g. csv file to update a database, alternatively some files contain text which is extracted and displayed in the browser.

    What permissions should i be looking at setting for these files (text files) and also what permissions for the folders the files are being uploaded to.

    At present the text files are stored with read and write permissions for owner only and this seems to work fine locally although the code is not complete. Will this be the same in the live environment? At present the folders have to be in read write and execute for owner group and others for the files to be uploaded successfully.

    I want to be as secure as possible with the site still working to the highest effectiveness

    Best Regards
    p_h_p

  4. #4
    SitePoint Enthusiast
    Join Date
    May 2007
    Posts
    43
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    For files that need to be read by public and or group after upload you can chmod($filePath,0644); for directories 755

    Setting uploaded files to not be executable is a good idea (644 vs 755), this will hinder anyone trying to execute something on your server. Never set any file 777, this is a bad idea, and not necessary.

    If you have files such as PHP scripts and data files that only need to be read by PHP, you should look into using suphp (or similar) to execute php, this runs php as the owner of the directory that contains your scripts, allowing you to set file/directory permissions of 600/700, which means nobody but the owner of the file can read it.

  5. #5
    SitePoint Addict
    Join Date
    Feb 2006
    Posts
    313
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    using suphp - this sound perfect. Is it a php config setup of a coding issue?

  6. #6
    SitePoint Enthusiast
    Join Date
    May 2007
    Posts
    43
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi P_H_P,

    suPHP runs as an Apache module, and requires that you run the CGI version of PHP, you should also put all your PHP scripts below the home directory of a nominated user (yourself), not in the default web root apache directory (I'm assuming you're running Apache??). See the web site for more detail.

    http://www.suphp.org/Home.html

    I've heard suPHP does affect performance, I don't know how badly, someone else may be able to comment on this. But for low volume sites, it's not an issue.

    I can help with setup on Debian, which distro are you running? If you are with a host, ask them about either suPHP or php-cgiwrap, I know a few hosts either offer these or are willing to install them if asked.

    regards twenty205
    Last edited by twenty205; Aug 24, 2007 at 18:51.

  7. #7
    SitePoint Addict
    Join Date
    Feb 2006
    Posts
    313
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You are correct - i'm running apache and also debian local box.

    I will look into using suphp and check my host can install this. twenty205, from the following have i understood everything correctly:

    you stated that using suphp, php scripts will upload files (i only allow .txt files) and become the owner of the file and later the file data can be read in. - This way I can restrict the folders and text files to only owner right permissions.

    Out of curiosity other than restricting permissions, checking file types and size and also possibly renaming the file being uploaded is there any other security functions i could apply to my upload script, e.g. a virus scanner - i have not researched this yet.

    Regards
    p_h_p

  8. #8
    SitePoint Enthusiast
    Join Date
    May 2007
    Posts
    43
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by p_h_p View Post
    you stated that using suphp, php scripts will upload files (i only allow .txt files) and become the owner of the file and later the file data can be read in. - This way I can restrict the folders and text files to only owner right permissions.
    Not quite, suPHP causes the PHP process to run as the the user that owns the script that is being run. So this means one can set the permissions of a PHP script or text file that is read by php to 600, this means that only the owner of the files and PHP can read them. Alternatively set the containing directory to 700.

    This gives added security if PHP stops working, no one can just browse your script directory and read your source code.

    I'm no security expert, these are just the precautions I take myself.

    As far as other things you could do, when I upload images I check that they are in fact images using GD, I guess you could also use image magic?? I've not yet had text uploaded by untrusted sources, but if I was, I guess I would also try to figure a way to make sure it was a text file, not a binary, and ad a Regular Expression to make sure it was what I was expecting. I've not investigated virus scanners either, someone else may like to comment on this.

    CU

    twenty205


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •