[Techtalk] php and apache and permissions

Fri Dec 20 13:11:37 EST 2002

- > We have a user who is using php scripts to upload files to their
- > directory.  The directory that they are writing the files to has the
- > following permissions:
- > 
- > drwxr-xr-x    2 User users  (where User is their username)
- > 
- > However, all the files that are in the directory that have been uploaded
- > are owned by user "www" and group "users".  This makes sense to me
- > because php is run as www. What does not make sense to me is: how can
- > php write to that directory if it's only writeable by the user?
- 
- Is it writable by group? is the directory that it's going to owned by www?

as above, no and no. I don't see any reason why php running as www
should be able to write to this directory.

- 
- > I don't know much about php, but it looks like the command they're using
- > to write to the directory is:
- > 
- > copy($workphotofile, $copyname);
- 
- hmm, ok
- 
- > $workphotofile seems to be set directly by this html form tag:
- > <input type="file" name="workphotofile">
- > 
- > (I can't see what the original path and filename of $workphotofile is... 
- > is this some temporary location used internally by php?)
- 
- presumably it's somewhere in /tmp ? I'm not familiar enough with PHP to
- really answer that.
- 
- However, what I think might work better is if you switch PHP to run in CGI
- mode instead of through mod_php, and then setup suexec.  Our commercial
- web hosting is setup in this way, and it works a treat.  I'll see if i can
- rustle up a sample config based on a sanitised version of our
- config.  Some people say there's a performance hit from running PHP as a
- CGI and a little more from suexec, but we haven't noticed any, and it's
- definately worth it for the predictability and security it gives.
- 

Yeah, I agree, unfortunately it's not within my immediate power to make
that change :)

Right now I'm mostly curious about how these files are getting written!

thanks,
Kristina

### my gpg key can be found here:
http://www.klerp.net/gpgkey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
Url : http://linuxchix.org/pipermail/techtalk/attachments/20021220/9753f668/attachment.pgp