Yes, itâs secure to put files above the document root. Same way your /etc/passwd file is safe from browser inspection.
No, itâs not secure to put files at permission level 777. Same way your /etc/passwd file isnt 777. (By default, itâs 644)
Yes, itâs secure to write files using PHP above the document root, provided you narrowly define the location of the file.
No, itâs not secure to accept user input for the fileâs contents if theyâre going to be blindly read and echoed into HTML. Or to allow the user to define the name of the file, without checking for non-filename-characters (including / and .)
etc etc etc.
I donât know how less secure it might be, but IMHO 777 is unnecessarily permissive. AFAIK, typically of âownerâ, âgroupâ and âworldâ the only one that might need full permission is âownerâ. True, if itâs above the root âworldâ should never get there, but I donât like to take chances. And it is not unknown that there have been cases where a vulnerable site infected the shared host (the âgroupâ) and spread nasties like rootkits to other sites sharing the host.
I tried numerous permissions on both the directory and the file, The only way I could get the web page to save the generated file was to set the directory to 0777. The generated file was then saved as 0644.
What user was the file marked as being owned by when it was created? Consider making that user the owner of the directory and then restricting the permissions down.
The PHP script was uploaded below the root using Filezilla and did not have sufficient permissions to create a new directory above the root.
I used Filezilla to create the directory above the root.
I have read and unsuccessfully tried numerous solutions about changing server permissions. It seems like black magic and as stated the only way to get write permissions was to set 0777 to the directory above the root.
I also tried numerous Googled solutions without success.
According to the PHP manual:
Attempts to change the owner of the file filename to user user. Only the superuser may change the owner of a file.
As mentioned manually creating a directory above the root and saving a file in the directory works OK and appears to be secure so I will stick with that solution and keep an eye out for other solutions.
I have never used mod_ftp and access the sites through FileZilla and the Linux Command Prompt; both using SSH Encryption. Is this enough security or is it possible for the FTP daemon run as root to wreak havoc?