File Permissions Error

[okok]

I have a PHP script that occasionally creates a new directory where files uploaded by users are stored. The new directories are created using mkdir. Each time a such directory is created, there is a problem with its permissions: new files can be saved in it, but I cannod chmod, rename or delete them. So far, each time a new directory was created I had to turn to your support and request them to fix the problem.

 

Why is this happening? Is it something in my script that I need to do differently?

 

Thanks

[LisaJill]

Your script needs to create the directory at 777 to be able to write to it. You can force the script to do this but I don't know how as I don't program php... but that might be enough to get you on the road to fixing it. =)

[TCH-Dick]

It is due to some scripts creating directories unde the user "nobody". This means without root access you will not be able to delte, rename, or change permissions.

(can someone verify this for me, maybe one of the Mikes?)

[MikeJ]

As Dick stated, the directories created by PHP scripts are created by the user the webserver runs as (user "nobody"). Therefore, you cannot change ownership, or permissions of the directory, or the files uploaded, because you don't own them.

 

Your best bet, as Lisa said, is to make sure your script creates directories and files with permissions 777, so you can at least make sure you can delete the files, otherwise you could find yourself in a position where you cannot even remove something.... at least not without writing another php script to do it.

 

P.S. I should add, btw, that if you wrote or are using an upload script, you should do some type of sanity checking on the files. Like if it's strictly for images, make sure it has a .jpg, .gif, .png, etc... extenision. Also, only allowing trusted users (like members of your site) to upload helps too.

 

I've seen several cases where people have open upload scripts that allow people to upload anything they want, including PHP scripts which they can then run to do bad things.

Edited June 10, 2004 by TCH-MikeJ

[okok]

Your best bet, as Lisa said, is to make sure your script creates directories and files with permissions 777, so you can at least make sure you can delete the files.

Thanks. According to the PHP documentation, the default mode for mkdir is 777. Is this wrong, or is PHP on your server configued differently? So do I need to change the line in the code to

>mkdir("path", 0777);

?

P.S.  I should add, btw, that if you wrote or are using an upload script, you should do some type of sanity checking on the files.  Like if it's strictly for images, make sure it has a .jpg, .gif, .png, etc... extenision.  Also, only allowing trusted users (like members of your site) to upload helps too.

Thanks also for the security tips. My script indeed allows only specific file types defined in a special list. And only registered users can upload files. Users who want to upload files of different types must ask me to add the type they want to upload to the list.