Re: cannot figure out permissions for fopen/fwrite

Mari Masuda <mbmasuda@xxxxxxxxxxxx> · Thu, 2 Jul 2009 20:53:06 -0700

Yes, currently the tmp folder (or any folders in my Apache htdocs  
folder) is not accessible to the web due to the Mac's built-in  
firewall set to block all incoming traffic except network time and  
something installed by Adobe when I installed CS4 (e.g., Photoshop,  
InDesign, etc.).  However, I was wondering what the normal technique  
is for writing files if the script that does the fopen/fwrite is  
located on a production server that IS on the web.  It occurred to me  
that I could create a 777 folder outside of the web root so that it  
would not be accessible on the web even if the script was running on  
a production server, but I wasn't sure if that was a good or bad idea.

On Jul 2, 2009, at 17:59, Waynn Lue wrote:

The tmp folder isn't accessible from the web though, right? Someone
would first have to get access to your server for that.

On 7/1/09, Mari Masuda <mbmasuda@xxxxxxxxxxxx> wrote:

On Jul 1, 2009, at 12:54, Shawn McKenzie wrote:

Mari Masuda wrote:
On Jul 1, 2009, at 12:20, Shawn McKenzie wrote:

Shawn McKenzie wrote:
Mari Masuda wrote:
Hello,

This is probably a dumb newbie question.  I am running PHP
5.2.5 and
Apache 2.2.8 on my Mac Book Pro OS X 10.4.11.  I compiled PHP  
and
Apache
from source a while ago (as opposed to using the built-in web
server
that is included w/ Mac OS X).  I have written the below PHP  
whose
purpose is to read an existing comma separated (CSV) file and
save the
data into a text file that I can later copy and paste from  
into my
website content management system.  The problem is that on my
Mac, I
cannot seem to figure out what permissions I need to set in
order to
make the input CSV and the initially non-existant output text  
file
readable and writable by Apache/PHP.  I have Googled and come
across
many pages about different ways to set permissions and different
permissions to set but none of the ways suggested that I tried
seemed to
work for me.  As a temporary solution, I uploaded my PHP file  
to a
Windows 2003 server running Apache and PHP and it worked
flawlessly
(and
makes me suspicious that there is some huge security hole  
with the
Windows box since it was able to execute with no permissions
modifications).  Any tips would be greatly appreciated.  Thanks!

Mari

--- start my code ---
<?php

    $in = fopen("/Applications/apache/htdocs/wp-php/wp.csv",  
"r");
    $out =
fopen("/Applications/apache/htdocs/wp-php/ 
tableToCutAndPaste.txt",
"w");
    $counter = 0;

    fwrite($out, "<table>\n");

    while(($data = fgetcsv($in)) !== FALSE) {
        $paperNumber = $data[0];
        $authors = $data[1];
        $title = $data[2];
        $filename = $paperNumber . ".pdf";

        if(($counter % 2) == 0) {
            fwrite($out, "<tr>\n");
        } else {
            fwrite($out, "<tr style=\"background: #cccccc;\"> 
\n");
        }

        fwrite($out, "<td><a
href=\"http://www.example.com/workingpapers/getWorkingPaper.php?
filename=$filename\">$paperNumber</a></td>\n");

        fwrite($out, "<td>$authors</td>\n");
        fwrite($out, "<td>$title</td>\n");
        fwrite($out, "</tr>\n");

        $counter++;
    }

    fwrite($out, "</table>\n");

    fclose($in);
    fclose($out);

?>
--- end my code ---

What are the permissions on /Applications/apache/htdocs/wp-php/ ?

Apache needs write permissions on that dir in order to create
the file
tableToCutAndPaste.txt.

It's probably not a secure idea to give write permissions to
that dir,
so maybe create a subdir of tmp and change those permissions
(one way):

mkdir /Applications/apache/htdocs/wp-php/tmp
chmod a+w /Applications/apache/htdocs/wp-php/tmp

Also, turn on error reporting so that you can see the exact
problem.  It
may not be what you think.

--
Thanks!
-Shawn
http://www.spidean.com

Thanks for the suggestions.  I added the following lines to the
very top
of my code:

    error_reporting(E_ALL);

    mkdir("/Applications/apache/htdocs/wp-php/tmp", 0777, true);
    chmod("/Applications/apache/htdocs/wp-php/tmp", "a+w");

and I also changed the line where it tries to open the file to
write to
to go to the new directory:

    $out =
fopen("/Applications/apache/htdocs/wp-php/tmp/
tableToCutAndPaste.txt",
"w");

Below are the errors I got:
--- start errors ---
Warning: mkdir() [function.mkdir]: Permission denied in
/Applications/apache/htdocs/wp-php/generateTable.php on line 5

Warning: chmod() [function.chmod]: No such file or directory in
/Applications/apache/htdocs/wp-php/generateTable.php on line 6

Warning:
fopen(/Applications/apache/htdocs/wp-php/tmp/ 
tableToCutAndPaste.txt)
[function.fopen]: failed to open stream: No such file or  
directory in
/Applications/apache/htdocs/wp-php/generateTable.php on line 9

Warning: fwrite(): supplied argument is not a valid stream
resource in
/Applications/apache/htdocs/wp-php/generateTable.php on line 13

Warning: fwrite(): supplied argument is not a valid stream
resource in
/Applications/apache/htdocs/wp-php/generateTable.php on line 22

Warning: fwrite(): supplied argument is not a valid stream
resource in
/Applications/apache/htdocs/wp-php/generateTable.php on line 27

Warning: fwrite(): supplied argument is not a valid stream
resource in
/Applications/apache/htdocs/wp-php/generateTable.php on line 28

Warning: fwrite(): supplied argument is not a valid stream
resource in
/Applications/apache/htdocs/wp-php/generateTable.php on line 29

Warning: fwrite(): supplied argument is not a valid stream
resource in
/Applications/apache/htdocs/wp-php/generateTable.php on line 30

Warning: fwrite(): supplied argument is not a valid stream
resource in
/Applications/apache/htdocs/wp-php/generateTable.php on line 35

Warning: fclose(): supplied argument is not a valid stream
resource in
/Applications/apache/htdocs/wp-php/generateTable.php on line 39
--- end errors ---

The permissions are as follows (sorry I didn't think to include
them in
my original message):

[Wed Jul 01 12:28:29] ~: ls -la /Applications/apache/htdocs/wp-php/
total 64
drwxr-xr-x    5 mari  admin    170 Jun 29 16:47 .
drwxr-xr-x   24 mari  admin    816 Jun 29 16:47 ..
-rw-r--r--    1 mari  admin   6148 Jun 28 21:11 .DS_Store
-rwxr--r--    1 mari  admin    827 Jul  1 12:26 generateTable.php
-rwxr--r--    1 mari  admin  17532 Jun 28 20:53 wp.csv
[Wed Jul 01 12:29:01] ~:

Thank you,
Mari

That's because the apache user doesn't have permissions to create  
the
dir or change the permissions.  The commands I gave you need to  
be run
from the command line.

--
Thanks!
-Shawn
http://www.spidean.com

Oh, duh, thank you.  Doing it on the command line like you said
worked great.  I also had to edit my .csv file in TextWrangler to
change the line breaks from \r to \r\n before it would work.
Although the Mac's built-in firewall is set to block incoming traffic
except for network time and something installed by Adobe when I
installed CS4, I was wondering about the security of this technique
if done on a production server.  I only run this script by pointing
my browser to http://localhost/wp-php/generateTable.php and I think
with my firewall settings nobody else would be able to execute this
script, but it seems if the tmp folder is set to world writable on a
production server that anybody might be able to somehow upload a
malicious file if they knew the location of tmp.  Any thoughts?   
Thanks!

Mari

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php