Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Uploading files - Best permissions

whocares

whocares

macrumors 65816
Original poster
Oct 9, 2002
1,494
0
:noitаɔo˩
A quick question concerning security with respect to uploading files to a server using HTML/PHP. :)

Right now I have my permissions set to 770 for the directory in which the files are uploaded. So far the server is my iBook, so the diectory belongs to me. Group is set to www so Apache has access.

Is this a safe setting? Is there a better setting?
What bothers me is that Apache is free to write in to that directory and I'm wondering if it isn't a security issue.

Cheers!
 
Westside guy

Westside guy

macrumors 603
Oct 15, 2003
6,339
4,156
The soggy side of the Pacific NW
whocares said:
A quick question concerning security with respect to uploading files to a server using HTML/PHP. :)

Right now I have my permissions set to 770 for the directory in which the files are uploaded. So far the server is my iBook, so the diectory belongs to me. Group is set to www so Apache has access.

Is this a safe setting? Is there a better setting?
What bothers me is that Apache is free to write in to that directory and I'm wondering if it isn't a security issue.
Click to expand...

750 would be better. Unless Apache explicitly needs permission to write in a directory (say if you're using a Web script to store or write data to a directory), it's better not to give it said permissions - ESPECIALLY in a directory that is enabled for CGI or PHP.
 
whocares

whocares

macrumors 65816
Original poster
Oct 9, 2002
1,494
0
:noitаɔo˩
Westside guy said:
750 would be better. Unless Apache explicitly needs permission to write in a directory (say if you're using a Web script to store or write data to a directory), it's better not to give it said permissions - ESPECIALLY in a directory that is enabled for CGI or PHP.
Click to expand...

That's the problem! I'm uploaded files (pictures) into the directory. Hence the script needs write permission. (all other directories are set to 710).
 
tomf87

tomf87

macrumors 65816
Sep 10, 2003
1,052
0
If you are wanting someone to upload to a directory, it's going to require write permission, so you have no options there.

You could set perms so they can write to the directory, but not read from it (730, assuming owner is you and group is apache).
 
Knox

Knox

Administrator
Staff member
Jul 1, 2002
1,267
1
UK
Have a look (or ask the server admin) and see if cgi-wrap is available on the server. cgi-wrap is designed to allow cgi/php scripts to be run under your user account rather than the user that apache runs under. Using cgi-wrap means that any files written by your scripts will be written under your account and so you can set the permissions to 700(folders)/600(files) without a problem.

This also means you can change the permissions on the php scripts to stop other users on the server reading them (the server may already be configured to stop this using a different method). Of course if there aren't any other users on the server you don't have to worry about the permissions - Apache is always going to be able to write to the directory, it's just whether other users can also write to it or not :)
 
B

brianellisrules

macrumors regular
Oct 17, 2003
229
0
I wrote a script to upload pictures to a directory. Here's the front-end: http://www.brianellisrules.com/stickers/upload/

Basically, it has a couple of checks:
1) only .jpg and .gif images are allowed
2) only pictures below 100KB are allowed (it uploads the picture then checks the size and deletes it if it's too big... I couldn't figure out a way to do it before uploading the picture).

I also have it setup so you can't view the folder index after you upload files (when a user uploads a file it creates a sub-directory for that user and stores all the images there).

I'm not very computer savvy, but this should be relatively secure/safe, eh?
 
Westside guy

Westside guy

macrumors 603
Oct 15, 2003
6,339
4,156
The soggy side of the Pacific NW
whocares said:
That's the problem! I'm uploaded files (pictures) into the directory. Hence the script needs write permission. (all other directories are set to 710).
Click to expand...

Oh, duh, sorry - I hate it when people don't read a post carefully, and there I go and do exactly that! :p

If possible, you should use a directory that's not in executable space (you may not have a choice since PHP is enabled). Password-protect that directory with .htaccess/.htpasswd, so that you control who has access to the directory - that way if someone manages to sneak a malicious script in there, they can't execute it. Alternatively you could just use .htaccess to disable php in that particular directory.

The ideas posted previously about not allowing people to view the directory index, and to check uploaded files' extensions, is a good one.
 
B

brianellisrules

macrumors regular
Oct 17, 2003
229
0
Westside guy said:
The ideas posted previously about not allowing people to view the directory index, and to check uploaded files' extensions, is a good one.
Click to expand...
Thanks. The only problem is that is hasn't been tested all that thoroughly... I mean, I tested it when I was writing the script and I had a couple friends try it, but that's it.

Oh yeah, if anyone wants to take a look at the code, just let me know. I'd be more than happy to share it (although there's a good chance it's poorly written and not very efficient... :))
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom