Directory security

[Jonob]

Hi all,

 

Part of my app is creating PDF documents for users to download...and for this I need to write the PDF's to a folder using FPDF. I then provide the link of the pdf to the user, which they can click on, and the user can then download it.

 

However, it seems that in order for this to work, its necessary for me to chmod the directory to 777 (anything less than this and the script is unable to save the file in the directory).

 

I'm obviously not that keen on having a public directory out there with a 777 permissions...or am I being over-paranoid?

 

Is it an option to normally have the directory at (say) 644, and then chown it to 777 during the pdf script creation, and then chown it back to 644 once the script has run? I suspect that this may trip up in a multi-user environment though...

 

I also thought of putting the directory above the document root, but that obviously wont work with users having a clickable link to download the pdf's.

 

Any other ideas or thoughts appreciated.

[MadTechie]

Well technically only the owner needs write access (as PHP is running as the owner) so 755 should be fine.

[Jonob]

Well...thats strange then. Because it doesnt seem to write the pdf to that directory at anything less than 777. I've tried 775, 755, and 776 to no avail.

[MadTechie]

Humm..

try creating the folder from PHP

mkdir("/path/to/my/dir", 0755)

see if that does it

[Jonob]

It seems that php is unable to create a directory due to a 'Permission denied' error

 

Does this mean that php is running with some kind of reduced permissions?

[Jonob]

Oops, pressed Post too soon.

 

I meant to add that my php files are running on 644 permissions, which I am guessing is not enough to be able to create a new directory (or being able to create the pdf in the directory tha exists already).

 

Am I on the right track here? If so, whats a 'safe' level to be running php scripts as?

[MadTechie]

I have had a problem before, with permissions (nothing would write unless it had 0777 permissions),

What i did was create a folder with 0777 permissions, then created a script to create a folder inside that with 0755 permissions,

and that folder i could write files too,

 

So change the permissions of a folder to 0777, and put the below script inside it,

Click create folder.

then create file

then remove file

then change the permissions to the folder (containing the script and change permissions back to 0755 or ) (non-recursive)

then test the create file and remove file links

 

<?php
$action = $_GET['action'];
$thisFolder = dirname(__FILE__)."/";
$file = $thisFolder."tmp/tmp.txt";
$tmpdir = $thisFolder."tmp";
switch($action){
case "mkdir";
	echo $tmpdir;
	mkdir($tmpdir, 0755);
break;
case "rmdir";
	if(file_exists($file)) unlink($file);
	rmdir($tmpdir);
break;
case "mkfile":
	file_put_contents($file,"TESTING",FILE_APPEND);
break;
case "rmfile":
	if(file_exists($file)) unlink($file);
break;
}
?>
<a href="?action=mkdir">Make Dir</a><BR />
<a href="?action=rmdir">Remove Dir</a><BR />
<a href="?action=mkfile">Make File</a><BR />
<a href="?action=rmfile">Remove File</a><BR />
<a href="tmp/">See Folder</a><BR />
<a href="tmp/tmp.txt">See File</a><BR />

 

 

Hope that helps

[waynew]

I have this problem ALOT. Even on "established" hosting services. 755 usually doesn't work for me.

[Jonob]

I have had a problem before, with permissions (nothing would write unless it had 0777 permissions),

What i did was create a folder with 0777 permissions, then created a script to create a folder inside that with 0755 permissions,

and that folder i could write files too,

 

So change the permissions of a folder to 0777, and put the below script inside it,

Click create folder.

then create file

then remove file

then change the permissions to the folder (containing the script and change permissions back to 0755 or ) (non-recursive)

then test the create file and remove file links

Hope that helps

 

Worked perfectly!

 

Thanks a stack MadTechie!