Re: File Upload Security and chmod

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 9:32 PM -0600 9/24/06, Andy Hultgren wrote:
Hi Tedd,

Yes, when I browse to www.myDomain.com I get the index.html file, and so I
have been leaving the .public_html/ directory alone since it is not my
root.  I'm curious, what you described is exactly what I'm trying to do -
what permissions do you set the parent folder at when you are finished
uploading/saving/downloading/etc.?  I have my "uploaded_images/"
directory set at chmod 0100 and I can still browse to an uploaded image from
my file upload page...  Thanks for your response,


Andy:

I ran into the same problem trying to work with, and understand, permissions on a virtual host. When I asked this gang about permissions some time back, I received answers that ranged from RTFM to calling me stupid for using 0777, but none answered my question. No fault of the gang, I probably didn't ask the question correctly. In any event, I felt too stupid to ask the question again, so I went elsewhere looking for answers and eventually found something that works for me.

Some consider me a novice, so I'll ask the gang to overview my comments to make sure that I'm not guiding you down the wrong path.

As you know, the key to setting the permissions of a file depends upon the permissions the parent folder. If the parent folder permission is set to 0777, then we can change any files inside the folder as we want. However, that also presents a major security hole because then anyone can use that folder to upload and run evil code.

So, the key problem is how to alter parent folder permissions.

With virtual hosting, we can upload, manage, and set permissions as we want via our FTP connection software. So, I thought perhaps php had something like that and as such I discovered how to ftp connect via php.

Now, not all php ftp_<commands> are available to php 4, but you can connect to your site and change permissions of folders, which is what we actually need. So, if you want to do something with a file: then change the folder permissions of the folder that holds it; do whatever you want with the file; and then change the folder permissions back to something safe.

You can also create new folders if you want using the command ftp_mkdir().

Note, the beginning of the ftp_paths are different than url paths we would normally use to locate a file. For example:

An example web path:

http://www.yourdomain.com/rw/tmp/text.txt

An example symbolic link:

public_html/rw/tmp/text.txt

The following code will show you an example of how this works. Just put in your own domain, user id, password, and correct paths and try it out. Change the permissions in the code and watch how the file permissions change.

Please let me know if this works for you -- watch for line breaks.

hth's

tedd

PS: I don't know what to say about your ".public_html/" directory, but I would just leave it alone.

---

// how to call the function

<?php

$ftp_path = "public_html/rw/";  // note the ftp path
$theDir = "tmp";
$theFile ="text.txt";
FtpPerms($ftp_path, $theDir, $theFile);
?>


// the function

<?php
// create directory and change permissions via FTP connection

function FtpPerms($path, $theDir, $theFile)
{

$server='ftp.yourdomain.com'; // ftp server
$connection = ftp_connect($server); // connection

$user = "you";
$pass = "yourpassword";
$result = ftp_login($connection, $user, $pass); // login to ftp server

if ((!$connection) || (!$result))
{
echo("No connection<br/>");
return false;
exit();
}
else
{
echo("Made connection<br/>");
ftp_chdir($connection, $path); // go to destination dir

echo("Change permission<br/>");
$str="CHMOD 0755 " . $theDir; // change permissions for dir (note the space after 0775 )
ftp_site($connection, $str);
echo("$str<br/>");

$filename = "$theDir/$theFile";
$contents = "This is the contents of the file.";

echo("<hr><br/>Writing file <br/><br/>");

$file = fopen( $filename, "w" );
fwrite( $file, $contents);
fclose( $file );
chmod($filename,0755);

echo("Change permission<br/>");
$str="CHMOD 0600 " . $theDir; // change permissions back for dir
ftp_site($connection, $str);
echo("$str<br/>");


echo("Close connection<br/>");
ftp_close($connection); // close connection
}

}
?>
--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux