I have a classifieds website, and when users post a new classified, they may chose to upload images.
My php code takes the chosen image, uploads it to a image folder, and names it accordingly.
The problem here is, I have to set the images folder to 777 in order for this to work.
My question is, what should the permissions be set to? And any ideas why it is not working if not 777?
If you need more input just let me know...
Thanks
UPDATE
I have a user (danny) which has root access...
The folder where images are uploaded to, as well as the "image_upload.php" file which does the magic, are owned by user "danny". Then I just tried setting them to chmod 764, but when I do that I get a problem.
See, it seems that I HAVE to set r+w+e permissions for the "public" for everything to work.
Can't figure out why...
Thanks again
Forget Revelations, 777
is the true number of the beast :-)
You should almost never need to set permissions that way. Surely your images are being created in the directory under a single user ID like php
.
If that's the case (and it should be), you just need to add that user to the specific group of that directory and allow group write access, 764
most likely, though the last digit may change based on other needs.
You can probably figure out which user is running by changing the upload script to do:
system ("id >/tmp/id.txt")
or whatever the equivalent is in PHP for running a command line tool.
Then check the /tmp/id.txt
file for the details. You'll have something like:
uid=1000(php) gid=1000(phpgrp) groups=1000(phpgrp)
Once you find that out (php
), work out the group of that images
directory:
pax> ls -ald images
drwxr-xr-x 4 pax paxgrp 4096 2010-06-14 16:38 images
That would be paxgrp
from the above transcript. Then ensure that the php
user is added to the paxgrp
group. This can usually be done in /etc/group
by changing, for example:
paxgrp:x:1027:bob,george
into:
paxgrp:x:1027:bob,george,php
then ensure the directory permissions allow group (but not world) writes.
And, based on your update, it doesn't actually matter who owns your PHP file, just who's running it, and that may not be danny
at all.
Otherwise, I could remove any file on the hard disk because rm
is owned by root :-)
The quickest way to find that user out for certain is to change that file so that it outputs the id
information as I suggested.
And any ideas why it is not working?
Other than permissions, make sure to specify proper settings for:
- file_uploads
- upload_max_filesize
- memory_limit
- max_execution_time
- post_max_size
See:
- How to optimize your PHP installation to handle large file uploads
Also make sure that:
- You have specified the
enctype="multipart"
in the form
- Check the files array with
print_r($_FILES);
The answers here are great, I just wanted to add one other possibility. You mentioned that a user "Danny" has root access and this Danny owns the files/dirs. With a non-CLI PHP script, the web server user should own the script, then you wouldn't need the public to be able to read write and execute (honestly, if you do it right, you should be able to set permissions to 700 and still be ok - though it's usually never that restricted).