When PHP saves to a folder, what should its permissions be?

I originally asked this on Stack, thinking it's a basic-I-don't-understand-PHP question, but the answers I'm getting there indicate that it depends a lot on host specifics, so:

I'm trying to use this Dagon Design PHP form to help a local non-profit publication enable their readers to submit photos. I've got the "mailer" part working -- the notifications work fine -- but the "saving a file to a folder" part isn't functioning.

On the form page, the author says "the directory must have write permissions," but I'm not sure "who" is writing to that folder -- is this PHP script considered "Owner" when it saves something on my site? Or do I need to allow save permissions for Owner, Group and Others?

I'm not sure why the script isn't saving the photos, but this seems like a good place to start.

The page I'm clumsily trying to build is here, if that helps.

owner php permissions

asked Sep 04 '12 at 08:18

mattshepherd
27●1●9

2 Answers:

oldest newest most voted

On our system, your PHP processes run as your own user, so you don't need to give write permission to group or other.

If you believe that the problem you're having is related to permissions, then try using 711 or 755 on the directory to which you're trying to upload files, and ensure that you have ownership of that directory.

answered Sep 04 '12 at 12:50

seanf ♦♦
5989●1●2●20

edited Sep 04 '12 at 12:50

Good to know -- thanks, seanf. At least now I know it's not permissions...

(Sep 05 '12 at 06:35) mattshepherd

First off: Providing write access folders can be dangerous. The main reason being that if I (as an evil person) can write to that directory, I can write a script that lets me hack into your machine. You REALLY want to make sure that:

1) where-ever you're storing the files is somewhere that can't store something that could be run. (e.g. /$DOCROOT/photos since I could load a .php script and guess the path to run it.)

2) you run your server under an account like "nobody" that has permission to do very little on the machine. (So when someone breaks your security, they can't do much damage.)

That last one can be hard to do, particularly if you don't own the server you're running on.

Now, if your case, you wanted to know who to give write permissions to for the directory: (this presumes you're running Linux)

1) set the download destination directory to global write: chmod 777 /path/to/upload/directory

2) upload a file.

3) see who wrote the file: ls -l /path/to/upload/directory

You'll see something like: -rw-r--r-- 1 jrconlin 33280 2012-09-05 16:42 foo.bar

In this case, the file "foo.bar" was written by user "jrconlin". In an ideal world, you'd change the owner of that directory to be "jrconlin", and bolt down permissions accordingly. Sadly, that's probably not going to be possible (again, unless you own the box and have super user privileges).

So, instead, try the following, (presuming you're running apache) Create a /path/to/upload/directory/.htaccess (note the "." at the front) containing:

RemoveHandler .php
RemoveHandler .inc
RemoveHandler .pl
RemoveHandler .cgi
RemoveHandler .py
RemoveHandler .fcgi

This will prevent those scripts from being run. Obviously, this is not a perfect list, and you will need to add any additional files if you know or suspect them.

answered Sep 05 '12 at 11:25

jrconlin
1●1

edited Sep 05 '12 at 11:26

If I'm understanding you correctly, the risk is that somebody could upload a malicious script rather than a photo, right? Would setting acceptable file types to only .jpg, .png and .jpeg solve that problem (i.e. something like “type=file|class=|label=|fieldname=|[req=true]|[allowed=png,jpg,gif]”), or could people just upload PHP scripts with a false suffix and run them anyway?

(I've gone ahead and created the .htaccess file).

(Sep 05 '12 at 11:37) mattshepherd

Our system is configured like this:

1
2
3

<FilesMatch \.php$>
    SetHandler php52-fcgi
</FilesMatch>

That means only files whose name ends with ".php" will executed as PHP scripts.

So, if you validate your input and accept only image file extensions, then that will help the security of your application.

Using a "symbolic link to static-only" application to serve your uploads directory will provide additional security, since static-only apps are exactly that: static only.

(Sep 05 '12 at 11:42) seanf ♦♦

Your answer

If you have an answer to the above question, then use the form below. Otherwise, use the appropriate 'add new comment' button above to post your feedback.

toggle preview

community wiki

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

php ×150
permissions ×37
owner ×2

Asked: Sep 04 '12 at 08:18

Seen: 601 times

Last updated: Sep 05 '12 at 11:51

When PHP saves to a folder, what should its permissions be?

Follow this question

Got questions? We have answers!

Related questions