User / Group Assignment

Wolf_22 · February 4, 2010, 6:24pm

When you upload stuff to a server, you can usually see who “owns” what files or directories. This little information is usually given for you in the phpinfo() function beside “User/Group.”

Something I’ve had problems with lately is an application running on a server that needs to make directories. Everything has ran smoothly except when something requires the creation of a directory–enter permissions.

From what research I’ve done on the matter, it just so happens that setting a parent directory to a recursive “777” will alleviate the given problem. Obviously, this is something I would prefer to avoid, but since I can’t get the system administrator to change the user, I feel as if my hands are tied.

According to the server guy, changing the owner would constitute an even worse security risk–and I originally sensed this through reading about potential disk quota concerns elsewhere–but even if that’s the case, things on a server are either secure or not secure.

So let me ask this:

1.) What IS the significance of the “User/Group”?
2.) The application in question is Wordpress 2.9. It keeps requiring the creation of the “Uploads” directory and every time an upload occurs, it runs into problems. Currently, a recursive “777” is applied to this directory, however, I’m curious as to whether or not this is really as bad as everyone makes it out to be and if so, is it possible that having a different owner could be causing the permissions issue? I read somewhere that Wordpress needs to have the same user as what is in the phpinfo().

drewls · February 6, 2010, 1:57am

What’s happening is that you are uploading with PHP. Files uploaded in that manner are owned by the user/group that the webserver runs under unless your host is running PHPsuexec.

Changing the permissions on those directories to 777 is not a good idea, neither is leaving the files owned by the webserver user. 777 grants any user on the system full control of those files. Generally, you don’t have too much to fear from other users on the system, but you do have a lot to fear from the webserver username (usually either apache or nobody) owning or having control of your files. If the webserver owns them, than any little Wordpress exploit will let outside users take control of your files. Or, possibly even any exploit in anyone’s PHP script anywhere else on the server could do the same.

What you want is the files owned by your username and group. If your server manager says otherwise, he’s been misinformed.

To stop this from happening at all, just upload whatever files you want to upload with FTP instead. That way, you avoid the problem entirely.

To check ownership in a directory listing, you can use the command:

ls -al

As far as changing them from the Apache user to your username, you’ll need root to do that.

I hope that helps somewhat.

Wolf_22 · February 6, 2010, 2:41am

Your answers were very helpful and also confirmed many of my suspicions. I feel better, now, about suggesting to the agency head that we find new hosting.

Topic		Replies	Views
Permissions PHP	3	260	August 24, 2011
Struggling to understand permissions PHP	3	561	December 6, 2010
File permissions PHP	5	247	August 17, 2010
PHP Script uploads and MkDir - owner/group problem means FTP cant access files PHP	3	418	September 7, 2011
What is the basic structure/set-up of a permissions management system? Server Config security	3	1425	October 21, 2014

User / Group Assignment

Related topics