Welcome Guest, Not a member yet? Register   Sign In
Can't upload to directory when 755
#1

   Hi;

   I upload files to a temp directory (I don't keep important files there) on the server but it won't allow me to upload unless I make it 777.

   2 questions:

       Is it secure to keep it 777? If not what are the issues?
       With 755 I get permission denied error.


   What is the right thing to do?
   Cheers
Reply
#2

In the most cases you will chmod your writing directories with 777. So everyone can do anythink with the files there. But you give only for that directory the writes. Your directory should be placed outside the document root of your webserver somewhere in a save path, so it cant be accesed directyl.

A very good description about linux writes you will find in this post

http://serverfault.com/questions/357108/...-webserver

Reply
#3

(This post was last modified: 01-23-2015, 05:52 AM by sv3tli0.)

755 is perfect mode for directory owner Smile
Usually if the folder is owned by let say www-data:www-data (which is apache client in debian) your script will work fine with 755.
Else the easiest way is to use 777 - but from sysadmin point this is FORBIDDEN Smile

The problem comes from the point that if you are creating the folder manually it will be owned by current user (usually root)..
But apache is not root and its not in root user group so 755 can't work ..
An option is to create the folder with in the request of upload so it will be owned by apache (the same user who is uploading the file) and 755 will be just fine..
Best VPS Hosting : Digital Ocean
Reply
#4

@sv3tli0: you're right, the problem for many users are the provider settings. so a save way could be - as you described - to dynamic generate the upload directory and after the work is done to delete it Wink

Reply
#5

For the apache user to create a directory, it must already have a directory owned by it ... There's no point in that.

Just change the upload directory's ownership.
Reply
#6

Generally speaking, you should avoid setting directories to 777 as this means that ANY USER ON THE SERVER can read and write that directory. This is especially bad if your server is a shared host and you don't trust the other users on it. If you can help it, you should never do this. If you must, well you must...

If you grant ownership and write permissions for the directory to Apache (or whatever web server is running) then you still run essentially the same risk as just setting the folder to 777 (anyone can create a PHP script hosted on the web server) UNLESS your server is configured with something like suExec or suPHP. These modules cause Apache and/or PHP to run as some particular user other than apache or www-data or whatever. In this case, You don't have to worry so much about php scripts hosted by others on your server, but you have to be especially careful about your own PHP scripts because when people access them, they are typically running as YOUR USERNAME. Basically, your scripts have write access to all the files and folders that belong to your username. It would in this case probably be wise to turn off write permissions even to your own user for all of your files even though it's a pain in the ass. In practice, I don't think anyone actually does this. You just have to be sure your PHP scripts only write the files they are supposed to and watch out for malicious people using your PHP to write files you don't want them to write.

Generally speaking, you should
* grant the absolute minimum permissions possible
* put any writable directories outside the web root or you run the risk that someone will write some evil exploit to your web directory and then request that file via the server.
* be extremely careful about writing files, directories, or data in response to user input. screen input for XSS or exploits, escape query values properly, make sure file pathnames are confined to the directory where they are destined instead of something like '/etc/passwd' or "../../../config.php"
* make sure users are properly authenticated and have permission to write whatever they are attempting to write
* probably other stuff I'm forgetting...
Reply




Theme © iAndrew 2016 - Forum software by © MyBB