mkdir in a 755 dir

fi********@gmail.com Wrote:

i have the make.php located on my server. the only line of code is
mkdir("/home/foouser/public_html/newdir", 0755);. now
/home/foouser/public_html is "drwxr-xr-x 7 foouser foouser". with
just that code i get permission errors. ...

/home/foouser/public_html would have to be owned by the UID the *web
server* is running as. Another way would be to change
~foouser/public_html to mode 775 (drwxrwxr-x) and change it's group
owner to the GID the server is running as. For example on Tiger, GID
70 (group name, www).
--
macbri
------------------------------------------------------------------------
macbri's Profile: http://www.macosx.com/forums/member.php?userid=34415
View this thread: http://www.macosx.com/forums/showthread.php?t=240847
macosx.com - The Answer to Mac Support - http://www.macosx.com

fi********@gmail.com wrote:

Hi,

i have the make.php located on my server. the only line of code is
mkdir("/home/foouser/public_html/newdir", 0755);. now
/home/foouser/public_html is "drwxr-xr-x 7 foouser foouser". with
just that code i get permission errors.
As expected.
When you run a PHP script, that script runs almost in all cases as user
APACHE, often called: nobody, www-data, or just apache.
That user DOES NOT HAVE WRITEPERMISSION in the directory.

So, solutions:
1) Open up the directory to the world. (not wise maybe)
2) Make sure the user that runs php is in the same group as foouser, and
give the group writepermission.
3) Make a new directory in /home/foouser/public_html/forapache with:
drwx------ apache apache
or something that suits your needs.

Regards,
Erwin Moller
i am running make.php from a remote machine. so how can i get mkdir to create a directory in
/home/foouser/public_html without chmodding anything to 777. would
adding some type of authentication system to make.php work so that i
could let the server know that i'm foouser on my remote machine?

fi********@gmail.com wrote:

i have the make.php located on my server. the only line of code is
mkdir("/home/foouser/public_html/newdir", 0755);. now
/home/foouser/public_html is "drwxr-xr-x 7 foouser foouser". with
just that code i get permission errors. i am running make.php from a
remote machine. so how can i get mkdir to create a directory in
/home/foouser/public_html without chmodding anything to 777.
It's because the webserver is not running as user 'foouser' so doesn't have
write permission to /home/foouser/public_html

If you can chown that dir to the webserver user it will work - but for most
intents and pruposes this would have the same effect as chmoding the dir to
0777
would
adding some type of authentication system to make.php work so that i
could let the server know that i'm foouser on my remote machine?

No, IIRC, only root can change the privilege on a running process but
there's nothing to stop you creating a process running as foouser (although
this will need a *lot* of clever coding to get the process to do what you
want).

I did think about writing an I/O proxy in C to do exactly this - but after
worked out what was involved I had a sudden bout of apathy.

C.

Well, my next question is how would I do what you described in solution
#2?

thanks

Erwin Moller wrote:

fi********@gmail.com wrote:
As expected.
When you run a PHP script, that script runs almost in all cases as user
APACHE, often called: nobody, www-data, or just apache.
That user DOES NOT HAVE WRITEPERMISSION in the directory.

So, solutions: 2) Make sure the user that runs php is in the same group as foouser, and
give the group writepermission.
Regards,
Erwin Moller

ok, here's the update:

i'm trying to write an upload script on a web server that will not
allow me to change the ownership or group name of a directory. i can
physically create /public_html/uploads to be 777 so that i can upload
files and edit images uploaded on that directory. the problem is, how
can i prevent someone from writing their own script off of my server (a
remote script) and adding/deleting files in /public_html/uploads since
it is 777?

fi********@gmail.com wrote:

ok, here's the update:

i'm trying to write an upload script on a web server that will not
allow me to change the ownership or group name of a directory. i can
physically create /public_html/uploads to be 777 so that i can upload
files and edit images uploaded on that directory. the problem is, how
can i prevent someone from writing their own script off of my server (a
remote script) and adding/deleting files in /public_html/uploads since
it is 777?

Hi,

[where I say 'apache' here I mean the user that runs as apache the PHP code,
which is also named often 'www-data' or 'nobody']

A few things you should/can consider:
If you store the images in xxx/public_html/uploads probably anybody can just
type http://www.yoursite.com/uploads/... and get them, unless you take some
precautions like making the files unreadable for user apache, in which case
you'll have a hard time using them in your website. So that is a bad
solution, agree?

A solution I used once is the following:

You need a solution where apache can write the files (from fileupload) and
read them too (to use in your website).
So why not let apache create the directory and change the filepermissions on
it to: uploads drwx------ apache apache

Now apache can read, write, delete in that directrory.

Note: How to do this?
1) You'll have to temporary change permissions in the parentdirectory to
allow apache to create the directory in public_html.
chmod 777 public_html
2) Make a simple sript that creates the uploadsdirectory and chmod it to the
above (chmod 700 uploads).
3) Set the permissions on public_html back to whatever you like, or had
before.

Now you are reasonably safe, except for 1 thing: Other users on your machine
can ALSO run php scripts as apache (on most setups).
So they could modify this uploads directory via their own PHP scripts.

If you do not trust them (on shared hosting or because you know they are
@ssh0les) you could use the following trick to make their life more
misserable:
Instead of the uploadsdirectory, you make a subdirectory in uploads, which
you give a horrible name, like this:
/home/yourhomedir/public_html/uploads/Hytr647ygghfFpioiaoiu17897/
In that directory you store the images, and you make sure the
uploadsdirectory doesn't have listpermissions for apache.
so uploads will get:
uploads drw------- apache apache
and the funky named directory will get:
Hytr647ygghfFpioiaoiu17897 drwx------ apache apache

Now you have to do 1 last thing, because you do not want your html to
contain the name of the funky named directory. That would be too easy for
them.
So instead of pointing the path to your uploaded images directly to
upload/Hytr647ygghfFpioiaoiu17897/mrx.jpg

like in <img src="upload/Hytr647ygghfFpioiaoiu17897/mrx.jpg">

you need something like:
<img src="getimage.php?image=mrx.jpg">

And write a simple php script that knows the path to the image and returns
it. (That is very basic and you can find it on php.net)

Hope this helps.

Good luck.
Regards,
Erwin Moller

Thanks, Erwin. I've been searching and posting messages on the
Internet for two days now and have not found a decent answer, until I
read this. Good job.