[Techtalk] php and apache and permissions

[Maria Blackmore]

On Fri, 20 Dec 2002, k.clair wrote:
> Another question for you (befuddling week here at work).

It's all good fun :)

> We have a user who is using php scripts to upload files to their
> directory.  The directory that they are writing the files to has the
> following permissions:
> 
> drwxr-xr-x    2 User users  (where User is their username)
> 
> However, all the files that are in the directory that have been uploaded
> are owned by user "www" and group "users".  This makes sense to me
> because php is run as www. What does not make sense to me is: how can
> php write to that directory if it's only writeable by the user?

Is it writable by group? is the directory that it's going to owned by www?

> I don't know much about php, but it looks like the command they're using
> to write to the directory is:
> 
> copy($workphotofile, $copyname);

hmm, ok

> $workphotofile seems to be set directly by this html form tag:
> <input type="file" name="workphotofile">
> 
> (I can't see what the original path and filename of $workphotofile is... 
> is this some temporary location used internally by php?)

presumably it's somewhere in /tmp ? I'm not familiar enough with PHP to
really answer that.

However, what I think might work better is if you switch PHP to run in CGI
mode instead of through mod_php, and then setup suexec.  Our commercial
web hosting is setup in this way, and it works a treat.  I'll see if i can
rustle up a sample config based on a sanitised version of our
config.  Some people say there's a performance hit from running PHP as a
CGI and a little more from suexec, but we haven't noticed any, and it's
definately worth it for the predictability and security it gives.

Maria