NYCPHP Meetup

[nycphp-talk] Setting directory permissions

jsiegel1 at optonline.net jsiegel1 at optonline.net
Fri Apr 18 21:04:08 EDT 2003


Hans,

What would you suggest for a set of pages that use a set of pics that the end user can upload? Should I upload them (the pics) into a database as blobs?

Jeff

----- Original Message -----
From: Hans Zaunere <hans at nyphp.org>
Date: Friday, April 18, 2003 8:20 pm
Subject: Re: [nycphp-talk] Setting directory permissions

> 
> Hi Jeff,
> 
> --- jsiegel1 at optonline.net wrote:
> > I'm sure this is an easy one but...since I'm still learning 
> PHP...I'm> scratching my poor bald head. ;)
> > 
> > Here's a code snippet:
> > 
> > //create new directory with the id name if it doesn't exist, 
> chmod to 777
> > if(!is_dir($id)) {
> >     $root = getenv('DOCUMENT_ROOT');
> >     $id = $root . '/pic_test/' . $id;
> >     mkdir($id,0777);
> > }
> 
> Note that the is_dir($id) call isn't nessecarily checking the dir 
> you think
> it is.
> 
> > The problem is...this only works if I chmod the subdirectory 
> "pic_test" to
> > 777 using my FTP application. However, I want to quickly change the
> > permissions via PHP code, upload some pictures with my form, 
> then change
> > the permissions back to 755.
> 
> Assuming you're running PHP as an Apache module, you'll be limited 
> to the
> user priveleges of Apache itself.  While in most cases this is 
> good, for
> writing to the filesystem things can get hairy.
> 
> For one, you won't be able to change the permissions of a 
> directory/file you
> don't own (read: apache's running user doesn't own).  So, trying 
> to change
> the permissions from less-restrictive to more-restrictive 
> 'quickly' is a moot
> point, since if a malicious page is written, he'd just change the 
> perms if
> desired anyway.
> 
> It's a catch-22 (as it should be) and is only solvable by having 
> properownership (or improper ownership, depending on your 
> viewpoint), suEXEC
> (achtung!) or a daemon to handle file operations.
> 
> HTH,
> 
> H
> 
> 
> 
> 
> --- Unsubscribe at http://nyphp.org/list/ ---
> 
> 
> 




More information about the talk mailing list