I have checked out articles and tutorials.
I don't know what to do about the security of my picture upload-folder.
It is pictures for classifieds which should be uploaded to the folder.
This is what I want:
Anybody may upload images to the folder.
The images will be moved to another folder, by another php-code later on (automatic).
Only I may manually remove them, as well as another php file on the server which automatically empties the folder after x-days.
What should I do here?
The images are uploaded via a php-upload script.
This script checks to see if the extension of the file is actually a valid image-file.
When I try this:
chmod 755 images
the images wont be uploaded.
But like this it works:
chmod 777 images
But 777 is a security risk right?
Please give me detailed information...
The Q is, what to do to solve this problem, not info about what permissions there are etc etc...
Thanks
If you need more info let me know...
You have to make sure the upload folder is owned by apache or whoever user is as which the http server is started.
Alternatively you can use 775 owned by the UID who will be collecting the files and with as gid the group id as which the webserver is started.
There are of course variations on these themes.
As long as the webserver user or webserver group has permission to write in the folder, it will be fine for uploading.
There are all kind of cornercases, but then we'll need more info about your setup.
0 No Permissions (the user(s) cannot
do anything)
1 Execute Only (the user(s) can only
execute the file)
2 Write Only (the user(s) can only
write to the file)
3 Write and Execute Permissions
4 Read Only
5 Read and Execute Permissions
6 Read and Write Permissions
7 Read, Write and Execute Permissions
First number = OWNER
Second number = GROUP
Third number = OTHER USERS
One possibility for why it only works with 777 permissions might be if you are running SELinux. It's possible that it is preventing the write. I would have thought though that it would have prevented it even with the 777 permsissions but I'm no SELinux expert.
Every newbie mix users up. :)
You just have to distinguish OS user and website user.
The latter one has nothing to do with OS permissions.
For the OS users you have given 2 of them:
- FTP user, owner of the files, uploaded via FTP
- webserver user, owner of the files uploaded via browser.
- Site user, who have no direct access to any files at all.
So, in case both these users are the same, you have no worry about.
But usually these are different users. So, one has no access to other's files unless directories has 777 and files 755.
That's why you have to set 777 for directories.
As we have learned above that website users has nothing to do with os permissions, you should not worry about security. 777 is ok.