Re: Directory and file permissions on a virtual host

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> Would some please provide me some simple rules for dealing with php
> scripts to
> fopen(), copy() and move_uploaded_file().
>
> Environment is Linux, Apache on a virtual host
>
> I've spent a lot of time goggling, etc. and can find lot's of explanations
> for
> owner, group and world.  They sound great; but don't work for me.
>
> This stuff worked on our previous host, it simply assigned  "customer" to
> everything

Your current host has given you TWO different usernames, sort of.

One is the one you use to login to the shell.  This is probably something
like 'al' or 'ridersite' or some variant on your name/site.

The other is the one running Apache/PHP.  This is probably 'nobody' or
'apache' or 'www' or something like that.

If you want PHP from the web to be able to do something to a file, you
need to make that file owned by the Apache user.

> Here is my directory structure and permissions:
>
> /foo [user accessed php scripts] permissions= 755
> /foo/data [simple text files] permissions = 777
> files in /data permissions= 644
>
> Have tried lots of other dir and file permissions
>
> owerships are our site handle.

Here's what you do to get a whole directory OWNED by the PHP user:

Step 1: TEMPORARILY make a directory world-writable with "chmod 777 xxx"
Step 2: Write a PHP script to create a directory (http://php.net/mkdir)
*inside* that directory: <?php mkdir("/path/to/xxx/php_owned");?>
Step 3: Change xxx back to sensible permissions: "chmod 755 xxx"

Ideally, you would make this directory owned by PHP *not* in your web
tree, but in some other directory.

You would then write PHP scripts to provide access to that directory.

Those scripts would then contain code to make *SURE* the content you were
sending out "looked right"

The reason for this is that the php_owned directory can be altered by
*ANYBODY* who can write a PHP script on your server.

So if you have some cross-checks in your scripts before you serve up the
content, you can "catch" that kind of thing.

You can cross-reference the files in that directory with records in a
database of what you expect to be there.

You can make sure that images "look" like image files with
http://php.net/imagegetsize

In your case, you could store the last known size of the file in your
database, and check that right before you append to make sure somebody
else hasn't snuck some data in there.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux