473,855 Members | 2,150 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Chmod

Hi,

I am at the base of an FTP thingy i'm building, and i noticed that
it would only work if i chmod the folder 777, i thought to remember
correctly that previously on another site chmod 744 was enough,
now it isn't.
Am i mistaking, and should it always be 777 ? And isn't a chmodded
777 folder much more vulnerable?

Frizzle.
Code sofar below:
+++++++++++++++ +++++++++++
<?php

require_once('. ./inc/globals.php');

if( isset( $_FILES['image'] ) ){

$ftp_conn = @ftp_connect( $default_ftp_se rver )or
die('<b>Error!</b>');
@ftp_login( $ftp_conn, $default_ftp_us er, $default_ftp_pa ss )or
die('<bError!</b>');

$uploaddir = '../items/';
$uploadfile = $uploaddir . basename( $_FILES['image']['name'] );

if ( move_uploaded_f ile( $_FILES['image']['tmp_name'], $uploadfile ) ){
echo "File is valid, and was successfully uploaded.";
} else {
echo "Possible file upload attack!";
};

ftp_close( $ftp_conn );

};

?>
<form action="<?php echo $PHP_SELF; ?>" method="post"
enctype="multip art/form-data" name="images" target="_top" id="images"
class="form">
<input name="image" type="file" id="image">
<br>
<input type="submit" name="upload" id="upload" value="Upload">
<input name="cancel" type="button" id="cancel" value="Cancel"
onClick="javasc ript:history.go (-1) ">
</form><?php

if (is_dir($upload dir)) {
if ($dh = opendir($upload dir)) {
while (($file = readdir($dh)) !== false) {
if ($file !== '..' && $file !== '.') echo "filename: $file :
filetype: " . filetype($uploa ddir . $file) . "<br>\r\n";
}
closedir($dh);
}
};

?>
----------------------------------------------------

Apr 4 '06
47 3358
> If the php application created it, the owner will be the user running the
application - in the case of a web application, it would be the webserver's
userid.


Which may be your userid, which may be the userid you use for ftp.

Apr 24 '06 #41

Jerry Stuckle wrote:
frizzle wrote:
Jerry Stuckle wrote:
frizzle wrote:
<old posts snipped>
PHP & OS are similar.
My upload function is below.
Hope it can get me/you any further ...
(again, really thanks for all the help!!)

Frizzle.
<code snipped>

Sorry for the delay - I missed this one when you posted earlier in the week.

Well, it isn't how I would have done it, but it should work.

First thing I would have done was to move the uploaded file from the temp
directory a working directory (move_uploaded_ file() ). This gets it completely
out of the temporary director (which could be something like /tmp) where there
may be limitations on what you can do with it.

Then I'd do the resizing or whatever I need in my workarea.

I'm also not sure why you're ftping back to yourself (at least I assume it's
yourself). Why not just store the file where you want it?

--
============= =====
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@att global.net
============= =====

No problem with the delay, i was only hoping your last message hadn't
been sent. And luckily it hasn't.

Erm, this is an adjusted script of something i found somewhere.
I wouldn't know how to store it where i want ... :$ Shame on me.
I only have relative little time during the weeks to dig into PHP :(
Is there something you could point to me ( a script, preferrably
w/o classes)?

Frizzle.


Not really. When I need something like this I just code it up. But they're
typically special purpose and would need changing for your system.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===


Jerry, is there any possiblity for you e.g. to point me in a certain
direction? As you
said, you would've done it differently ...

Frizzle.

Apr 24 '06 #42
frizzle wrote:
Jerry Stuckle wrote:
frizzle wrote:
Jerry Stuckle wrote:
frizzle wrote:
<old posts snipped>

>PHP & OS are similar.
>My upload function is below.
>Hope it can get me/you any further ...
>(again, really thanks for all the help!!)
>
>Frizzle.
>

<code snipped>

Sorry for the delay - I missed this one when you posted earlier in the week.

Well, it isn't how I would have done it, but it should work.

First thing I would have done was to move the uploaded file from the temp
directory a working directory (move_uploaded_ file() ). This gets it completely
out of the temporary director (which could be something like /tmp) where there
may be limitations on what you can do with it.

Then I'd do the resizing or whatever I need in my workarea.

I'm also not sure why you're ftping back to yourself (at least I assume it's
yourself) . Why not just store the file where you want it?

--
=========== =======
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@a ttglobal.net
=========== =======
No problem with the delay, i was only hoping your last message hadn't
been sent. And luckily it hasn't.

Erm, this is an adjusted script of something i found somewhere.
I wouldn't know how to store it where i want ... :$ Shame on me.
I only have relative little time during the weeks to dig into PHP :(
Is there something you could point to me ( a script, preferrably
w/o classes)?

Frizzle.


Not really. When I need something like this I just code it up. But they're
typically special purpose and would need changing for your system.

--
============= =====
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@att global.net
============= =====

Jerry, is there any possiblity for you e.g. to point me in a certain
direction? As you
said, you would've done it differently ...

Frizzle.


Yes, to start I'd move it from the temporary directory with
move_uploaded_f ile(). Then I'd do my work on it and write it directly to the
filesystem with the file functions such as fopen(), etc.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===
Apr 24 '06 #43
fletch wrote:
If the php application created it, the owner will be the user running the
application - in the case of a web application, it would be the webserver's
userid.

Which may be your userid, which may be the userid you use for ftp.


In that case the PHP application didn't create it. FTP did. It may have been
driven by the PHP application, but it's not the application working directly on
the filesystem.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===
Apr 24 '06 #44
>> Which may be your userid, which may be the userid you use for ftp.

In that case the PHP application didn't create it. FTP did. It may have been
driven by the PHP application, but it's not the application working directly on
the filesystem.
I should be clearer. Apache can run with suExec, and often does in a
shared hosting environment. This means that the particular apache
process which runs a script runs with the uid and gid of that script.
The host will then ensure that the files in the user's directory have
the correct uid and gid bits set. This means that the uid of an ftp'd
file and a file created by php run through apache will be the same.

Just a foot note to the main point of the thread.
From http://httpd.apache.org/docs/1.3/suexec.html The suEXEC feature -- introduced in Apache 1.2 -- provides Apache users the ability to run CGI and
SSI programs under user IDs different from the user ID of the calling web-server. Normally, when a
CGI or SSI program executes, it runs as the same user who is running the web server.

Used properly, this feature can reduce considerably the security risks involved with allowing users
to develop and run private CGI or SSI programs. However, if suEXEC is improperly configured, it
can cause any number of problems and possibly create new holes in your computer's security. If
you aren't familiar with managing setuid root programs and the security issues they present, we
highly recommend that you not consider using suEXEC.


Apr 24 '06 #45
fletch wrote:
Which may be your userid, which may be the userid you use for ftp.


In that case the PHP application didn't create it. FTP did. It may have been
driven by the PHP application, but it's not the application working directly on
the filesystem.

I should be clearer. Apache can run with suExec, and often does in a
shared hosting environment. This means that the particular apache
process which runs a script runs with the uid and gid of that script.
The host will then ensure that the files in the user's directory have
the correct uid and gid bits set. This means that the uid of an ftp'd
file and a file created by php run through apache will be the same.

Just a foot note to the main point of the thread.
From http://httpd.apache.org/docs/1.3/suexec.html


The suEXEC feature -- introduced in Apache 1.2 -- provides Apache users the ability to run CGI and
SSI programs under user IDs different from the user ID of the calling web-server. Normally, when a
CGI or SSI program executes, it runs as the same user who is running the web server.

Used properly, this feature can reduce considerably the security risks involved with allowing users
to develop and run private CGI or SSI programs. However, if suEXEC is improperly configured, it
can cause any number of problems and possibly create new holes in your computer's security. If
you aren't familiar with managing setuid root programs and the security issues they present, we
highly recommend that you not consider using suEXEC.



Thanks for the info, Fletch. I knew there was something different about SuEXEC,
but wasn't sure what it was.

So he may need to either chown the scripts to the Apache process owner, or
create the directories with the same owner as the script?
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===
Apr 24 '06 #46
> So he may need to either chown the scripts to the Apache process owner, or
create the directories with the same owner as the script?


I think so yes.

Apr 25 '06 #47
fletch wrote:
So he may need to either chown the scripts to the Apache process owner, or
create the directories with the same owner as the script?

I think so yes.


OK, that makes sense then. Thanks again for the info!

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===
Apr 25 '06 #48

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

5
16819
by: Daniel | last post by:
Hi, From what I read from the PHP manual, chmod on a Windows platform should have no effect, and that seems totally normal (unless someone on sourceforge has a windows port of that!). I create a directory on my Windows box, and set chmod 777 on it (that should be full access for everyone if my memory serves me correctly), but when I want to rmdir that directory, I get a permission denied message (I can delete contents from that...
6
6705
by: Ask Josephsen | last post by:
Hi NG If I write the following: <?php $file="myfile.JPG"; if ( getmyuid()==fileowner ( $file ) ) { chgrp ( $file, getmygid() ); chown ( $file, getmyuid() );
1
4703
by: Xuan Yuan | last post by:
I'm using Windows XP Professional and have no FTP installed. Instead, I use Command Promt. I need to CHMOD a PHP file, so I type "CHMOD 775 file-path",but get "'CHMOD'is not recognized as an internal or external command,operable program or batch file"!Is this because I spelled it wrong?Or is it the computer's problem?
4
4839
by: Ian N | last post by:
Hi i'm having a problem with file permissions of upload, they appear to be being set to only readable by the administrator, so anyone browsing the site gets a 403 forbidden error when they try and view the image. I've tried adding the following line: - chmod($uploadfile, 444); and also a few variations on it but to no avail.
5
9558
by: Stewart | last post by:
Hi, I'm working on a program in VC++ right now that needs to set file permissions of a given file to 766 (read/write/execute). Now I've found the _chmod() function in the API help docs, but that only caters for read/write. Is there ANY way of setting 766 to a file through C++ at all? Many thanks. Mike
2
2922
by: Freebird | last post by:
Hello everyone, =] I need your help, I'm creating a script that will work in many servers, and there's this part, where you can update a list, so the script goes from the client's machine to the central server, opens the file, and in adda line by line in the client server, it's all working fine, but there's a problem, this list, can't be available to others, because if I do this:
1
2992
by: James Colannino | last post by:
Ok, so now I have a very interesting problem, this time related to os.chmod. I have the following in a text file: 0600. My script reads that number as a string and converts it to an integer for use with chmod. However, when I do this, instead of the rw------ permissions that I expect, I get ---x-wx--T. I tried placing 0600 directly in the command (chmod(filename, 0600)), and that worked as expected (I got rw------). So then I entered...
3
3772
by: webhead | last post by:
I have a web where users can upload photos, but they want to also be able to delete them. The directory can have chmod changes but it won't let me chmod the files and unlink them. I'm assuming it really is a chmod problem even though the error message is "no such file or directory", as I'm sure the name and path are right. Even my ftp program won't let me chmod the files, is this a safemode problem?
3
4769
by: Rik | last post by:
Hello, first of all, my provider sucks, newsserver is down for the #nth time now, offcourse when I have an urgent question.... So this will be me first time using Google Groups, forgive me if something goes wrong. The problem at hand: In a restricted area I let a user upload an image, no problem The image gets scaled down with imagecopyresampled(), and stored with imagejpeg($resized_img,'/path/to/target/image.jpg')
1
3218
by: lawrence k | last post by:
I've a simple script to transfer some files from one domain to another, with both domains living on the same server. The files in both directories are already chmod 777. Yet after transfer, I try to ensure that the file is 777, and I get an error. Why? for ($i=0; $i < count($transferArray); $i++) { $fileName = $transferArray; $commandAsString = "\cp -f /var/www/vhosts/mydomain.com/httpdocs/ site_specific_files/$fileName...
0
9754
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
11044
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
1
10767
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
10375
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
9526
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
7927
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5754
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
1
4567
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
4168
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.