Re: File Upload Security and chmod

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Andy:

It was never a question of speed for me -- it was a question of being able to change file permissions from within a php script so that I could create and write files safely.

You see, I am *not* able to use chmod() within a php script at all regardless of what permissions the file and parent folder have -- even when both are set to 0777. To do any permissions changing from within a php script I am forced to resort to a ftp connection as I previously described.

I can't even create a file, nor open a file for writing, without the parent folder having 0777 permissions. The only option I had was to set parent folders to 0777 and leave them that way, and I wasn't going to do that for security reasons.

Now, perhaps something is wrong with my server (or me) -- but -- I have more than one server and the same tests held true for all of them.

So, if you can chmod() and mkdir() from within your php script without establishing an ftp connection, then more power to you, because I can't. And that's the reason I use ftp_login. I thought that you had the same problem.

Now, perhaps I should RTFM again -- but -- I have read it and I have not found another method that works to change permissions other than to use ftp_logon.

I suspect that this problem may be pretty obvious to the gang, but I don't know if anyone cares to comment. Comments?

tedd

---

At 1:11 PM -0600 9/25/06, Andy Hultgren wrote:
Tedd,

Thanks so much your thorough response - it's good to know that I'm not the only one trying to figure this out! I'm curious, in your code you use the PHP ftp functions, but I have used the PHP functions chmod() and mkdir() without establishing an ftp connection. Is it faster to establish an ftp connection within PHP and then use the ftp series of functions to accomplish all of the directory creation and permissions changes? If so, then I will probably change my code to follow yours.

Andy


On 9/25/06, tedd <<mailto:tedd@xxxxxxxxxxxx>tedd@xxxxxxxxxxxx> wrote:

At 9:32 PM -0600 9/24/06, Andy Hultgren wrote:
Hi Tedd,

Yes, when I browse to <http://www.myDomain.com> www.myDomain.com I get the index.html file, and so I
have been leaving the .public_html/ directory alone since it is not my
root.  I'm curious, what you described is exactly what I'm trying to do -
what permissions do you set the parent folder at when you are finished
uploading/saving/downloading/etc.?  I have my "uploaded_images/"
directory set at chmod 0100 and I can still browse to an uploaded image from
my file upload page...  Thanks for your response,


Andy:

I ran into the same problem trying to work with, and understand,
permissions on a virtual host. When I asked this gang about
permissions some time back, I received answers that ranged from RTFM
to calling me stupid for using 0777, but none answered my question.
No fault of the gang, I probably didn't ask the question correctly.
In any event, I felt too stupid to ask the question again, so I went
elsewhere looking for answers and eventually found something that
works for me.

Some consider me a novice, so I'll ask the gang to overview my
comments to make sure that I'm not guiding you down the wrong path.

As you know, the key to setting the permissions of a file depends
upon the permissions the parent folder. If the parent folder
permission is set to 0777, then we can change any files inside the
folder as we want. However, that also presents a major security hole
because then anyone can use that folder to upload and run evil code.

So, the key problem is how to alter parent folder permissions.

With virtual hosting, we can upload, manage, and set permissions as
we want via our FTP connection software. So, I thought perhaps php
had something like that and as such I discovered how to ftp connect
via php.

Now, not all php ftp_<commands> are available to php 4, but you can
connect to your site and change permissions of folders, which is what
we actually need. So, if you want to do something with a file: then
change the folder permissions of the folder that holds it; do
whatever you want with the file; and then change the folder
permissions back to something safe.

You can also create new folders if you want using the command ftp_mkdir().

Note, the beginning of the ftp_paths are different than url paths we
would normally use to locate a file. For example:

An example web path:

<http://www.yourdomain.com/rw/tmp/text.txt>http://www.yourdomain.com/rw/tmp/text.txt

An example symbolic link:

public_html/rw/tmp/text.txt

The following code will show you an example of how this works. Just
put in your own domain, user id, password, and correct paths and try
it out. Change the permissions in the code and watch how the file
permissions change.

Please let me know if this works for you -- watch for line breaks.

hth's

tedd

PS: I don't know what to say about your ".public_html/" directory,
but I would just leave it alone.

---

// how to call the function

<?php

$ftp_path = "public_html/rw/";  // note the ftp path
$theDir = "tmp";
$theFile ="text.txt ";
FtpPerms($ftp_path, $theDir, $theFile);
?>


// the function

<?php
// create directory and change permissions via FTP connection

function FtpPerms($path, $theDir, $theFile)
{

$server='<http://ftp.yourdomain.com>ftp.yourdomain.com'; // ftp server
$connection = ftp_connect($server); // connection

$user = "you";
$pass = "yourpassword";
$result = ftp_login($connection, $user, $pass); // login to ftp server

if ((!$connection) || (!$result))
{
echo("No connection<br/>");
return false;
exit();
}
else
{
echo("Made connection<br/>");
ftp_chdir($connection, $path); // go to destination dir

echo("Change permission<br/>");
$str="CHMOD 0755 " . $theDir; // change permissions for dir (note the
space after 0775 )
ftp_site($connection, $str);
echo("$str<br/>");

$filename = "$theDir/$theFile";
$contents = "This is the contents of the file.";

echo("<hr><br/>Writing file <br/><br/>");

$file = fopen( $filename, "w" );
fwrite( $file, $contents);
fclose( $file );
chmod($filename,0755);

echo("Change permission<br/>");
$str="CHMOD 0600 " . $theDir; // change permissions back for dir
ftp_site($connection, $str);
echo("$str<br/>");


echo("Close connection<br/>");
ftp_close($connection); // close connection
}

}
?>
--
-------
<http://sperling.com>http://sperling.com <http://ancientstones.com>http://ancientstones.com <http://earthstones.com>http://earthstones.com

--
PHP General Mailing List (<http://www.php.net/>http://www.php.net/ )
To unsubscribe, visit: <http://www.php.net/unsub.php>http://www.php.net/unsub.php


--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux