jasonsho Posted March 30, 2003 Posted March 30, 2003 Hi all - I want to have a PHP page where a user can upload a file, and then I save that file to disk. Of course, I can do this on my local Linux development machine, but I have to change the permissions of the upload directory so that whatever user Apache and PHP are running as has write access to that directory. My question is, can I do the same thing somehow on my TCH account? It looks to me that in the CPanel, I can change the permissions of a directory for UserGroupWorld, but can I change the group to match whatever user Apache runs as? Wouldn't that be more secure than simply making the directory world-writeable? Thanks... jasonsho (somehow a funny short for "jasonshosting") Quote
Lianna Posted March 30, 2003 Posted March 30, 2003 The most secure option for you is to create an FTP user through cPanel. That will create the directory, username and password with all the correct permissions. Lianna Quote
jasonsho Posted March 31, 2003 Author Posted March 31, 2003 But if a PHP script is the thing doing the file writing, don't I need a directory with permissions such that the PHP user (meaning the user that Apache runs as) has write access? Quote
borfast Posted March 31, 2003 Posted March 31, 2003 Hi Jason. Yes, you'll need to give write permissions for PHP (Apache ) to write to that directory. Unfortunately, PHP doesn't allow to execute code under another user ID. Quote
jasonsho Posted March 31, 2003 Author Posted March 31, 2003 OK cool - is there a way I can assign a particular user permissions like that via CPanel? And, does anyone know what the user ID is for Apache on TCH? Thanks all! -Jason Quote
MRwisdom12 Posted April 4, 2003 Posted April 4, 2003 This is a great question. I am having the same problem but I a so new to this, I wasn't what to even ask. Coming from a MS background I have a lot to learn about linux and php. MFZ - Microsoft Free Zone!! TCH Rocks Quote
KevinW Posted April 5, 2003 Posted April 5, 2003 Check out: http://www.developer.com/lang/php/article.php/1456041 -or- http://www.hotscripts.com/PHP/Scripts_and_...Upload_Systems/ -kw Quote
dozure Posted April 15, 2003 Posted April 15, 2003 the apache user is "nobody" i believe... if you do a >chown -R nobody directory that would take care of it i believe. this would have to be done from a command line through SSH though I believe Quote
dozure Posted April 15, 2003 Posted April 15, 2003 oh and would you be willing to share the script if you get it working? I would like to have something like that. I'm getting tired of walking people through using FTP Edit: nevermind, I followed KWs link and found one I'm going to use. Quote
jasonsho Posted April 15, 2003 Author Posted April 15, 2003 OK - attached is the script that was linked to above by kweilbacher with some extra crap by me. I was just trying to make it work to test the permissions issue, and it didn't have all the error reporting that I would like. The suspect lines are: > if(!copy($HTTP_POST_FILES['file']['tmp_name'],"/changeme/public_html/test/".$HTTP_POST_FILES['file']['name'])) print "Failed to upload file!"; I do not currently have shell access to my account. However, I can make the "/changeme/public_html/test/" directory writeable by world via CPanel, and then the file upload works OK. By doing that, I am just giving any user on the system write access to that directory, versus limiting it to the apache user or its group. So now the question is, how much less secure is this method? My thoughts: if some sort of attack or misuse comes via apache to somehow upload files to this directory, it could happen in either case - only for other users on the system is this a greater risk. So what sort of risk do we have for other user IDs on our systems? What about anonymous FTP? Any takers? -jasonsho file.php Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.