NYCPHP Meetup

[nycphp-talk] Setting directory permissions

Hans Zaunere zaunere at yahoo.com
Fri Apr 18 21:40:45 EDT 2003


--- jsiegel1 at optonline.net wrote:
> Hans,
> 
> What would you suggest for a set of pages that use a set of pics that the
> end user can upload?

If you're looking for a picture gallery option, then http://gallery.sf.net is
probably your best bet.  It requires Apache writable directories and
safe_mode=off (PSaw may be able to expand on this, since he implmented it for
NYPHP.org).  This isn't inherently insecure, but a shared environment and a
clever malicious user, may be food for thought.

> Should I upload them (the pics) into a database as blobs?

This certainly is the 'cleanest' option; but performance could be a
consideration, especially for large images.

Having apache writable directories isn't always a bad thing, but if you end
up writing the code yourself, just be very careful with paths and such.

H

 
> Jeff
> 
> ----- Original Message -----
> From: Hans Zaunere <hans at nyphp.org>
> Date: Friday, April 18, 2003 8:20 pm
> Subject: Re: [nycphp-talk] Setting directory permissions
> 
> > 
> > Hi Jeff,
> > 
> > --- jsiegel1 at optonline.net wrote:
> > > I'm sure this is an easy one but...since I'm still learning 
> > PHP...I'm> scratching my poor bald head. ;)
> > > 
> > > Here's a code snippet:
> > > 
> > > //create new directory with the id name if it doesn't exist, 
> > chmod to 777
> > > if(!is_dir($id)) {
> > >     $root = getenv('DOCUMENT_ROOT');
> > >     $id = $root . '/pic_test/' . $id;
> > >     mkdir($id,0777);
> > > }
> > 
> > Note that the is_dir($id) call isn't nessecarily checking the dir 
> > you think
> > it is.
> > 
> > > The problem is...this only works if I chmod the subdirectory 
> > "pic_test" to
> > > 777 using my FTP application. However, I want to quickly change the
> > > permissions via PHP code, upload some pictures with my form, 
> > then change
> > > the permissions back to 755.
> > 
> > Assuming you're running PHP as an Apache module, you'll be limited 
> > to the
> > user priveleges of Apache itself.  While in most cases this is 
> > good, for
> > writing to the filesystem things can get hairy.
> > 
> > For one, you won't be able to change the permissions of a 
> > directory/file you
> > don't own (read: apache's running user doesn't own).  So, trying 
> > to change
> > the permissions from less-restrictive to more-restrictive 
> > 'quickly' is a moot
> > point, since if a malicious page is written, he'd just change the 
> > perms if
> > desired anyway.
> > 
> > It's a catch-22 (as it should be) and is only solvable by having 
> > properownership (or improper ownership, depending on your 
> > viewpoint), suEXEC
> > (achtung!) or a daemon to handle file operations.
> > 
> > HTH,
> > 
> > H
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> 
> 
> 
> --- Unsubscribe at http://nyphp.org/list/ ---
> 
> 




More information about the talk mailing list