473,225 Members | 1,319 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,225 software developers and data experts.

File upload permissions

I thought I had this licked, but apparently not.

I have a file upload script that attempts to upload a file to a
directory in the public_html directory - www.domain.com/upload

The permissions for the directory have to be 777 for this to work or
esle it aborts with a permissions error - obviously a problem. The php
script runs as user 'nobody'.

Tech support is through email, and level one is not that bright, or at
least not that fluent in english. I am trying to get the exact phrase to
tell them. Is it that I need them to set the group to nobody or add
nobody to the group or???

Am I on the right path? If 'nobody' was a member of the group, I could
use 775, right?

Thanks for the help,
Harvey
Nov 3 '08 #1
13 2618
eclipsme escribió:
I thought I had this licked, but apparently not.

I have a file upload script that attempts to upload a file to a
directory in the public_html directory - www.domain.com/upload

The permissions for the directory have to be 777 for this to work or
esle it aborts with a permissions error - obviously a problem. The php
script runs as user 'nobody'.

Tech support is through email, and level one is not that bright, or at
least not that fluent in english. I am trying to get the exact phrase to
tell them.
You can change the directory permissions yourself with any decent FTP
client. If you don't have FTP access, some control panels have this
feature too.
Is it that I need them to set the group to nobody or add
nobody to the group or???
Yes, changing the file ownership is another option.
Am I on the right path? If 'nobody' was a member of the group, I could
use 775, right?
Or even 770. Permissions digits mean: user/group/others. Just be aware
that user "nobody" is not the same as group "nobody"; what happens is
that when you create a new user, most distros create a group with the
same name as the user and add the user to the group as its only member.

The request should be something as "I need to change the ownership of
directory ~/public_html/upload so it belongs to the nobody group. I need
it to allow file uploads from my web site.".
--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://bits.demogracia.com
-- Mi web de humor al baño María: http://www.demogracia.com
--
Nov 3 '08 #2
Álvaro G. Vicario wrote:
eclipsme escribió:
>I thought I had this licked, but apparently not.

I have a file upload script that attempts to upload a file to a
directory in the public_html directory - www.domain.com/upload

The permissions for the directory have to be 777 for this to work or
esle it aborts with a permissions error - obviously a problem. The php
script runs as user 'nobody'.

Tech support is through email, and level one is not that bright, or at
least not that fluent in english. I am trying to get the exact phrase
to tell them.

You can change the directory permissions yourself with any decent FTP
client. If you don't have FTP access, some control panels have this
feature too.
>Is it that I need them to set the group to nobody or add nobody to the
group or???

Yes, changing the file ownership is another option.
>Am I on the right path? If 'nobody' was a member of the group, I could
use 775, right?

Or even 770. Permissions digits mean: user/group/others. Just be aware
that user "nobody" is not the same as group "nobody"; what happens is
that when you create a new user, most distros create a group with the
same name as the user and add the user to the group as its only member.

The request should be something as "I need to change the ownership of
directory ~/public_html/upload so it belongs to the nobody group. I need
it to allow file uploads from my web site.".

Thanks for this!

Harvey
Nov 3 '08 #3
eclipsme wrote:
Álvaro G. Vicario wrote:
>eclipsme escribió:
>>I thought I had this licked, but apparently not.

I have a file upload script that attempts to upload a file to a
directory in the public_html directory - www.domain.com/upload

The permissions for the directory have to be 777 for this to work or
esle it aborts with a permissions error - obviously a problem. The
php script runs as user 'nobody'.

Tech support is through email, and level one is not that bright, or
at least not that fluent in english. I am trying to get the exact
phrase to tell them.

You can change the directory permissions yourself with any decent FTP
client. If you don't have FTP access, some control panels have this
feature too.
Right, but the problem I am facing is that permissions need to be 777 -
not the best option, right? So I am correct to pursue the ownership
issue, right? I just got an email back from support saying they did
this, but I am still getting a permissions error when the script tries
to move the file from the temp directory to the actual.

Harvey
Nov 3 '08 #4
>Right, but the problem I am facing is that permissions need to be 777 -
>not the best option, right?
The REASON 777 permissions are not the best option is primarily the
risk of tampering by the other people renting space on the same
host. (If you don't trust your host's admins, change hosts, but
you're really stuck with trusting someone's admins on a shared
host). You have the same problem with mode 770, group nobody. The
other people renting space (your competitors) can also run programs
with that user ID.
>So I am correct to pursue the ownership
issue, right? I just got an email back from support saying they did
this, but I am still getting a permissions error when the script tries
to move the file from the temp directory to the actual.
So what are the owner/permissions on THAT directory?
Nov 3 '08 #5
Gordon Burditt wrote:
>Right, but the problem I am facing is that permissions need to be 777 -
not the best option, right?

The REASON 777 permissions are not the best option is primarily the
risk of tampering by the other people renting space on the same
host. (If you don't trust your host's admins, change hosts, but
you're really stuck with trusting someone's admins on a shared
host). You have the same problem with mode 770, group nobody. The
other people renting space (your competitors) can also run programs
with that user ID.
>So I am correct to pursue the ownership
issue, right? I just got an email back from support saying they did
this, but I am still getting a permissions error when the script tries
to move the file from the temp directory to the actual.

So what are the owner/permissions on THAT directory?

Oh. I thought the problem was that anybody could upload a script to a
directory with 777 and run it. I wasn't thinking of others on the shared
host.

Also, not sure what you mean by "THAT" directory. This is the directory
that I am trying to get them to change - the directory that the file
will end up in. I have the permissions set to 770, but don't know hoe to
check the ownership. BTW - after going one more round with them, 3 of 6
folders are now working. It *would* be nice if I coould check the
ownership of them How do I do that?

Harvey
Nov 4 '08 #6
>>Right, but the problem I am facing is that permissions need to be 777 -
>>not the best option, right?

The REASON 777 permissions are not the best option is primarily the
risk of tampering by the other people renting space on the same
host. (If you don't trust your host's admins, change hosts, but
you're really stuck with trusting someone's admins on a shared
host). You have the same problem with mode 770, group nobody. The
other people renting space (your competitors) can also run programs
with that user ID.
>>So I am correct to pursue the ownership
issue, right? I just got an email back from support saying they did
this, but I am still getting a permissions error when the script tries
to move the file from the temp directory to the actual.

So what are the owner/permissions on THAT directory?

Oh. I thought the problem was that anybody could upload a script to a
directory with 777 and run it.
The "and run it" part isn't true if it's not inside the document
tree (and if it is inside the document tree, that's incredibly
dangerous). FTP by itself doesn't have a command to run a file on
the server. This assumes that "anybody" doesn't have a shell
account.
>I wasn't thinking of others on the shared
host.

Also, not sure what you mean by "THAT" directory.
You mentioned that the script tries to move the file from one
directory to another (That's two directories). You got the permissions
changed on one directory. I'm referring to the OTHER one. Or the
other three of six mentioned below, or whatever. If you're really
trying to move (rename) the file, you need to worry about permissions
on the source (so you can delete it) and destination (so you can
create files there) directories.
>This is the directory
that I am trying to get them to change - the directory that the file
will end up in. I have the permissions set to 770, but don't know hoe to
check the ownership.
Look at the PHP function stat(), or fileowner() and filegroup() to
get the uid and gid of the owner of the file. Use posix_getpwuid()
and posix_getgrgid() to translate uid and gid into names. fileperms()
might be useful also (display it in octal).
>BTW - after going one more round with them, 3 of 6
folders are now working. It *would* be nice if I coould check the
ownership of them How do I do that?
Nov 4 '08 #7
Perhaps I have not approached this correctly and need to rethink it.
Please, let me tell you what I am trying to do. Perhaps there is a
better way.

The database is for agendas, minutes and audio of various city meetings.
Each 'agency', like the city council, or redevelopment, has its own
table. The table holds only the name of the file, and the path to the
file is coded in the web pages.

I have written a script that takes input from a form,
enctype="multipart/form-data" and fields, type="file", and uses the PHP
command 'move_uploaded_file' to put the file where I want it. The script
then updates the database. This is the 'OTHER' directory referred to -
PHP uploads to a tmp directory then moves it to the final destination.
This is not important, I think, to the discussion.

You say, the "and run it" part isn't true if it's not inside the
document tree (and if it is inside the document tree, that's incredibly
dangerous)."

The directories *are* in the tree - /public_html/CRA/agendas, for
instance. This is what you are referring to as incredibly dangerous,
right? This is why I wanted to be able to limit permissions to 775. Is
the real problem where I am saving these files? Mind you, the files are
public files. I don't care if people can access them directly. I do care
if scripts or other files can be loaded by others.

Do I need to redo and keep these files below the web root? If so, will
these permission issues still apply? Will 777 be ok?

Finally, how does a web page access these files?

Thank so much for taking the time.
Harvey
Nov 4 '08 #8
eclipsme wrote:
Perhaps I have not approached this correctly and need to rethink it.
Please, let me tell you what I am trying to do. Perhaps there is a
better way.

The database is for agendas, minutes and audio of various city meetings.
Each 'agency', like the city council, or redevelopment, has its own
table. The table holds only the name of the file, and the path to the
file is coded in the web pages.

I have written a script that takes input from a form,
enctype="multipart/form-data" and fields, type="file", and uses the PHP
command 'move_uploaded_file' to put the file where I want it. The script
then updates the database. This is the 'OTHER' directory referred to -
PHP uploads to a tmp directory then moves it to the final destination.
This is not important, I think, to the discussion.

You say, the "and run it" part isn't true if it's not inside the
document tree (and if it is inside the document tree, that's incredibly
dangerous)."

The directories *are* in the tree - /public_html/CRA/agendas, for
instance. This is what you are referring to as incredibly dangerous,
right? This is why I wanted to be able to limit permissions to 775. Is
the real problem where I am saving these files? Mind you, the files are
public files. I don't care if people can access them directly. I do care
if scripts or other files can be loaded by others.

Do I need to redo and keep these files below the web root? If so, will
these permission issues still apply? Will 777 be ok?

Finally, how does a web page access these files?

Thank so much for taking the time.
Harvey
Look at the file extension, and only allow certain extensions to be
uploaded.

If your webserver is set up correctly, it won't execute .txt, .pdf, etc.
files. It will just serve them.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Nov 4 '08 #9
Jerry Stuckle wrote:
eclipsme wrote:
>Perhaps I have not approached this correctly and need to rethink it.
Please, let me tell you what I am trying to do. Perhaps there is a
better way.

The database is for agendas, minutes and audio of various city
meetings. Each 'agency', like the city council, or redevelopment, has
its own table. The table holds only the name of the file, and the path
to the file is coded in the web pages.

I have written a script that takes input from a form,
enctype="multipart/form-data" and fields, type="file", and uses the
PHP command 'move_uploaded_file' to put the file where I want it. The
script then updates the database. This is the 'OTHER' directory
referred to - PHP uploads to a tmp directory then moves it to the
final destination. This is not important, I think, to the discussion.

You say, the "and run it" part isn't true if it's not inside the
document tree (and if it is inside the document tree, that's incredibly
dangerous)."

The directories *are* in the tree - /public_html/CRA/agendas, for
instance. This is what you are referring to as incredibly dangerous,
right? This is why I wanted to be able to limit permissions to 775. Is
the real problem where I am saving these files? Mind you, the files
are public files. I don't care if people can access them directly. I
do care if scripts or other files can be loaded by others.

Do I need to redo and keep these files below the web root? If so, will
these permission issues still apply? Will 777 be ok?

Finally, how does a web page access these files?

Thank so much for taking the time.
Harvey

Look at the file extension, and only allow certain extensions to be
uploaded.

If your webserver is set up correctly, it won't execute .txt, .pdf, etc.
files. It will just serve them.
I have included this checking in the script. So, are you saying that
having these files in the tree is ok? and that 777 would be ok?

Sorry to be such a bother.

Harvey
Nov 4 '08 #10
eclipsme wrote:
Jerry Stuckle wrote:
>eclipsme wrote:
>>Perhaps I have not approached this correctly and need to rethink it.
Please, let me tell you what I am trying to do. Perhaps there is a
better way.

The database is for agendas, minutes and audio of various city
meetings. Each 'agency', like the city council, or redevelopment, has
its own table. The table holds only the name of the file, and the
path to the file is coded in the web pages.

I have written a script that takes input from a form,
enctype="multipart/form-data" and fields, type="file", and uses the
PHP command 'move_uploaded_file' to put the file where I want it. The
script then updates the database. This is the 'OTHER' directory
referred to - PHP uploads to a tmp directory then moves it to the
final destination. This is not important, I think, to the discussion.

You say, the "and run it" part isn't true if it's not inside the
document tree (and if it is inside the document tree, that's incredibly
dangerous)."

The directories *are* in the tree - /public_html/CRA/agendas, for
instance. This is what you are referring to as incredibly dangerous,
right? This is why I wanted to be able to limit permissions to 775.
Is the real problem where I am saving these files? Mind you, the
files are public files. I don't care if people can access them
directly. I do care if scripts or other files can be loaded by others.

Do I need to redo and keep these files below the web root? If so,
will these permission issues still apply? Will 777 be ok?

Finally, how does a web page access these files?

Thank so much for taking the time.
Harvey

Look at the file extension, and only allow certain extensions to be
uploaded.

If your webserver is set up correctly, it won't execute .txt, .pdf,
etc. files. It will just serve them.
I have included this checking in the script. So, are you saying that
having these files in the tree is ok? and that 777 would be ok?

Sorry to be such a bother.

Harvey
777 has nothing to do with whether the file is executable or not. It
has EVERYTHING to do with security from other users on your shared host.

No, it is NOT good to have 777. In fact, I would say 640 is the most
you should have (web scripts are NOT executable).

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Nov 4 '08 #11
>
777 has nothing to do with whether the file is executable or not. It
has EVERYTHING to do with security from other users on your shared host.

No, it is NOT good to have 777. In fact, I would say 640 is the most
you should have (web scripts are NOT executable).
Thank you Jerry. I jumped into this project without thinking it through
all the way. Of course, when you are learning that is pretty much how it
happens.

Now that I have a script that is working - except for this whole
permissions issue - I see that PHP as FTP commands, which I didn't
realize in the beginning. Perhaps it would be better to use ftp_put()
instead of move_uploaded_file()???

Perhaps this calls for a new topic.

Harvey
Nov 4 '08 #12
eclipsme wrote:
>
>>
777 has nothing to do with whether the file is executable or not. It
has EVERYTHING to do with security from other users on your shared host.

No, it is NOT good to have 777. In fact, I would say 640 is the most
you should have (web scripts are NOT executable).
Thank you Jerry. I jumped into this project without thinking it through
all the way. Of course, when you are learning that is pretty much how it
happens.

Now that I have a script that is working - except for this whole
permissions issue - I see that PHP as FTP commands, which I didn't
realize in the beginning. Perhaps it would be better to use ftp_put()
instead of move_uploaded_file()???

Perhaps this calls for a new topic.

Harvey
No, you need to use move_uploaded_file() to move the file from the
temporary location to the permanent one.

What you need to do is to get your hosting company to straighten out
your group memberships.

And BTW - I forgot you were talking about a directory; 640 should be for
files. A directory should be something like 750 or 770, but never 777.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Nov 4 '08 #13
On Tue, 04 Nov 2008 07:04:59 -0500, eclipsme <ec******@nowhere.com>
wrote in <XR*******************@bignews4.bellsouth.net>:

[snip]
>The database is for agendas, minutes and audio of various city meetings.
Each 'agency', like the city council, or redevelopment, has its own
table. The table holds only the name of the file, and the path to the
file is coded in the web pages.
This is OT, but FYI, unless there's a compelling reason to have
separate tables, all of these entries should be in a single table with
an additional column that contains the primary key of the record that
identifies the agency. Something like:

CREATE TABLE agencies (
id INTEGER NOT NULL AUTO_INCREMENT PRIMARY KEY
, name VARCHAR(255) NOT NULL
);

CREATE TABLE minutes (
id INTEGER NOT NULL AUTO_INCREMENT PRIMARY KEY
, agency_id INTEGER NOT NULL
, filename VARCHAR(255) NOT NULL
, CONSTRAINT FK_minutes_agencies FOREIGN KEY (
agency_id
) REFERENCES agencies (id)
);

You can then write an interface in your application that allows the
administration of the agencies. If a new agency is added, you just
add a record to the table agencies and start adding records to the
table minutes. With a separate table per agency, you'd have to add a
new table and modify your code.

This isn't really a PHP issue, so I suggest following up in an
appropriate database group, such as comp.databases.mysql.
--
Charles Calvert | Web-site Design/Development
Celtic Wolf, Inc. | Software Design/Development
http://www.celticwolf.com/ | Data Conversion
(703) 580-0210 | Project Management
Nov 4 '08 #14

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: balzano_1 | last post by:
Hi, im trying to upload a file from a client (windows) to an ftp server (linux), i deciede to use some of php`s functions to connect and authenticate etc.. i only wish to put a file on the server,...
6
by: jonathanmcdougall | last post by:
I have read many posts on this subject and found no satisfying answer. I am creating a file on the server via a PHP script. The file is created using GD (imagejpeg()), though I don't think it is...
6
by: Pat Carden | last post by:
Hi, We need to allow webusers to upload a file on our website (on Server3, all servers run Server 2003, remotely hosted) and eventually save it on our SBS Server (Server2) which is not exposed...
1
by: BW | last post by:
I am creating an upload/download function for an extranet site. Files will be uploaded to directory based upon the users login and associated project. The function works as long as I use "c:\Temp"...
4
by: Tony B | last post by:
I've moved an existing site (which I didn't write) from a apache/php/mysql host under windows to a linux apache/php/mysql host. I've sorted out most problems except one. There is an upload...
0
by: Tim Payne | last post by:
I have an odd permissions issue with uploading files to a windows 2003 server. I have a reasonably unusual setup. We have a php website, running through IIS that was written to use mod_rewrite....
1
by: lPrentice | last post by:
Hello, After all this time, Linux file permissions still confuse me at times. I have a Python web-based application with an file (images) upload module. The application is running on two remote...
1
by: chrisj | last post by:
I'm using freeASPupload and got some assistance integrating to a Member script. It works successfully. In this modified version there are two groups that use this upload script. Members of one...
2
by: beary | last post by:
Hello everyone, I posted this in unix/linux but it received no replies, so I assume it was the wrong forum. I'm trying here. I'm in way over my head with file permissions. The directory and...
1
isladogs
by: isladogs | last post by:
The next online meeting of the Access Europe User Group will be on Wednesday 6 Dec 2023 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, Mike...
0
by: veera ravala | last post by:
ServiceNow is a powerful cloud-based platform that offers a wide range of services to help organizations manage their workflows, operations, and IT services more efficiently. At its core, ServiceNow...
0
by: VivesProcSPL | last post by:
Obviously, one of the original purposes of SQL is to make data query processing easy. The language uses many English-like terms and syntax in an effort to make it easy to learn, particularly for...
0
by: jianzs | last post by:
Introduction Cloud-native applications are conventionally identified as those designed and nurtured on cloud infrastructure. Such applications, rooted in cloud technologies, skillfully benefit from...
2
by: jimatqsi | last post by:
The boss wants the word "CONFIDENTIAL" overlaying certain reports. He wants it large, slanted across the page, on every page, very light gray, outlined letters, not block letters. I thought Word Art...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
Git
by: egorbl4 | last post by:
Скачал я git, хотел начать настройку, а там вылезло вот это Что это? Что мне с этим делать? ...
1
by: davi5007 | last post by:
Hi, Basically, I am trying to automate a field named TraceabilityNo into a web page from an access form. I've got the serial held in the variable strSearchString. How can I get this into the...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.