Folder Permissions

[dweb]

Hi

 

I've got a file upload script i've written and I have set the folder to 777 to allow uploads

 

With the permission set to 777 does this open me up to potential uploads from 3rd parties? (ie: viruses etc)?

 

So I thought what I would do is

 

1: Set folder to 777 to allow uploads

2: Upload file

3: Set folder to 755 to disable uploads

 

Would this be the best method to do it?

 

Or is that a waste of time and am I safe just leaving it as 777

 

Thanks

[requinix]

1a. Viruses can't do anything unless they're executed. So to prevent viruses from doing anything, don't execute files.

1b. If you're actually worried about viruses being uploaded, install AV software on the server and manually scan files as they're uploaded.

2. Store uploads in a place that is not web accessible. Or prevent the webserver from allowing access to them.

3*. Have PHP create the upload folder: chmod 0777 the parent folder, use mkdir() to create the upload folder then chmod() 0755 it, then chmod 0755 the parent folder.

4. Use a PHP script to send (eg, show or trigger a download on) an uploaded file. Don't link to the files directly - though you could have URL rewriting make it look like you are. Don't forget access controls.

 

* If the server configuration is altered and the PHP user changes, you'll have to do a little work. But this is pretty rare.

[dweb]

Thanks, i'm going to use option 3

 

I have tried the code

 

chmod("../files/", 0777);

 

but I get the error

 

Warning: chmod() [function.chmod]: Operation not permitted in /home/web101/public_html/myadmin/upload.php on line 4

 

Why would that be?

 

 

[requinix]

Only the owner of a file can change its permissions.

[dweb]

thanks, so how can I set that?

[kicken]

thanks, so how can I set that?

 

You chmod the parent through your ftp client or an ssh session.  Once the parent is 777 drop in a quick script to make and chmod the upload directory:

 

<?php
mkdir('uploads');
chmod('uploads', 0755);

 

Browse to the URL for that script so it creates the directory and then remove that script.

 

After the directory is created then use your ftp/ssh to set the parent back to 755

 

[dweb]

the problem is, the "uploads" folder is where I currently store and want to upload files to

 

 

[dweb]

so if I already have a folder called "uploads", then surely I wouldn't run

 

mkdir('uploads');

 

because the folder exists.

 

but when I try and CHMOD that folder with

 

chmod('uploads', 0755);

 

then I get

 

Warning: chmod() [function.chmod]: Operation not permitted in /home/web101/public_html/myadmin/upload.php on line 4

 

[kicken]

You would have to remove your existing uploads folder and re-create it using PHP in order to do as suggested.  Take the current folder and rename it to something else, for instance uploads.old.  Then use the php script to create the new folder with the proper permissions, as well as copy over all the old files.  Remove the old uploads folder when done.

 

[dweb]

the only problem is that the folder contains many files and it's the main folder for all the uploads, so it would mean I would have to copy hundreds of files each time someone uploads a new file

 

basically all I need to do, is make a secure way of uploading a file to a folder, but from what I can see it looks like the only option is to create a new folder in the root each time

 

my goal is just to have a script which files can be uploaded to a defined folder location, but the folder is secured with permissions to stop outsiders uploading anything such as scripts \ viruses etc

 

any suggestions would be great

[scootstah]

the only problem is that the folder contains many files and it's the main folder for all the uploads, so it would mean I would have to copy hundreds of files each time someone uploads a new file

 

You are missing the point here. Let's break it down:

 

1. Rename existing "uploads" folder to "uploads.old".

2. Use PHP to create a new "uploads" folder; mkdir('uploads');

3. Use PHP to CHMOD the newly created "uploads" folder; chmod('uploads', 0755);

4. Copy the contents from "uploads.old" to "uploads".

5. Delete "uploads.old".

 

Whenever someone uploads something in the future, it will go to the newly-created "uploads" folder - you don't have to do anything.

[dweb]

ok thanks, i'll give that a go

 

is that solution practical when you might have 000's of files in the uploads folder, surely it's going to have some serious pressure on the server if uploads are constantly being done and it's being required to shift 000's of files

 

also, what would you suggest if you have multiple users uploading files, surely if folders are being renamed, files being moved etc, then files are going to go missing. Or would it be the case of having 1 folder per user in the root?

[scootstah]

What are you talking about? These changes are made once, not every time someone uploads files.

[dweb]

ok, sorry, misunderstood

 

trying

 

mkdir('uploads');

 

gives the error

 

Warning: mkdir(uploads) [function.mkdir]: Permission denied

[dweb]

-

[dweb]

any idea why I might be getting that error?

[requinix]

You also need to manually chmod 0777 the parent folder (the one in which you're creating the uploads/ folder). Don't forget to change it back to 0755 when you're done.