[Techtalk] php and apache and permissions
k.clair
kclair at serve.com
Fri Dec 20 13:11:37 EST 2002
- > We have a user who is using php scripts to upload files to their
- > directory. The directory that they are writing the files to has the
- > following permissions:
- >
- > drwxr-xr-x 2 User users (where User is their username)
- >
- > However, all the files that are in the directory that have been uploaded
- > are owned by user "www" and group "users". This makes sense to me
- > because php is run as www. What does not make sense to me is: how can
- > php write to that directory if it's only writeable by the user?
-
- Is it writable by group? is the directory that it's going to owned by www?
as above, no and no. I don't see any reason why php running as www
should be able to write to this directory.
-
- > I don't know much about php, but it looks like the command they're using
- > to write to the directory is:
- >
- > copy($workphotofile, $copyname);
-
- hmm, ok
-
- > $workphotofile seems to be set directly by this html form tag:
- > <input type="file" name="workphotofile">
- >
- > (I can't see what the original path and filename of $workphotofile is...
- > is this some temporary location used internally by php?)
-
- presumably it's somewhere in /tmp ? I'm not familiar enough with PHP to
- really answer that.
-
- However, what I think might work better is if you switch PHP to run in CGI
- mode instead of through mod_php, and then setup suexec. Our commercial
- web hosting is setup in this way, and it works a treat. I'll see if i can
- rustle up a sample config based on a sanitised version of our
- config. Some people say there's a performance hit from running PHP as a
- CGI and a little more from suexec, but we haven't noticed any, and it's
- definately worth it for the predictability and security it gives.
-
Yeah, I agree, unfortunately it's not within my immediate power to make
that change :)
Right now I'm mostly curious about how these files are getting written!
thanks,
Kristina
### my gpg key can be found here:
http://www.klerp.net/gpgkey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
Url : http://linuxchix.org/pipermail/techtalk/attachments/20021220/9753f668/attachment.pgp
More information about the Techtalk
mailing list