Jump to content

Secure directory outside html directory issue


Recommended Posts

The server is AWS linux apache running PHP, with me the sole developer as owner ec2-user.



To upload files from the app user's browser (handled) to a temporary directory (/test_sub below) within the /html tree, then for security purposes, to have PHP move this file to outside the /html tree (/private_sub below) where it will remain unable to be read, written to or deleted except when the app requires PHP to do this. The app needs PHP to make any directory permission changes via chmod, and perhaps owner changes and group changes (preferably not the last two).


Here is the directory structure and SUDO output to accomplish this:


/var        drwxr-xr-x 21 root root 4096 Dec 11 19:23 /var

    /www        drwxrwsr-x 11 root www 4096 May  1 16:50 /var/www

    :   /html       drwxrwsr-x 5 root www 4096 Apr 25 19:51 /var/www/html

    :   :   /AWS_s      drwxrwsr-x 8 ec2-user www 4096 May  1 16:54 /var/www/html/AWS_s

    :   :   :   /test_dir       drwxrwsrwx 3 ec2-user www 4096 May  1 16:52 /var/www/html/AWS_s/test_dir

    :   :   :   :   /test_sub       drwxrwsrwx 4 ec2-user www 4096 May  1 23:14 /var/www/html/AWS_s/test_dir/test_sub

    :   :   :   :   :   /test_file.txt      -rw-r--r-- 1 ec2-user www 13 Apr 24 13:36 /var/www/html/AWS_s/test_dir/test_sub/test_file.txt


    :   /private_dir        drwxrwxrwx 3 ec2-user www 4096 May  1 21:02 /var/www/private_dir

    :   :   /private_sub        drwxrwxrwx 2 ec2-user www 4096 May  1 21:19 /var/www/private_dir/private_sub

    :   :   :   /moved_file.txt     -rw-r--r-- 1 ec2-user ec2-user 13 Apr 24 13:36 /var/www/private_dir/private_sub/moved_file.txt

    :   :   :   /copied_file.txt        -rw-r--r-- 1 apache apache 13 May  1 23:49 /var/www/private_dir/private_sub/copied_file.txt

    :   :   /private_sub2       drwxr-xr-x 2 apache apache 4096 May  2 00:18 /var/www/private_dir/private_sub2


The PHP scripts are run in the /test_sub directory.

The default permissions for directories are drwx rws r-x  2775.


Only when the /private directories are both set to 777 and the setgid is unset will they allow files to be written to them. When the two /test directories are set to the default of 775 with the setgid set, they allow files to be copied from them. However, when the move (rename) script is run, the delete function of the copy and delete process throws an error unless both /test directories are reset to 777 clearly allowing files to be deleted.


I'm concerned that the /test and /private directories need to be 777, opening them up to bad actors.


I've spent days researching and testing many options but have failed to resolve this. Clearly, I'm missing something fundamental here ;)


My questions:

1. Why do the two /test and the two /private directories need to have the 'other' set to rwx? I read that PHP uses group www and therefore that group www should allow the writes in the /private directories and the reads and deletes in the /test directories.

2. Why does copied_file.txt have owner:group as apache:apache instead of ec2-user:www and likewise when I mkdir /private_sub2 in PHP?

3. Why does moved_file.txt have owner:group ec2-user:ec2-user instead of ec2-user:www?

4. Why did PHP mkdir create the non-default permission 0755 in /private_sub2?

5. Why, using PHP, do chown, chgrp and chmod fail to make changes to /private_sub/moved_file.txt?


Link to comment
Share on other sites

1. Because Apache/PHP is not running as ec2-user. That user will be whatever it's configured to be - it could be www or it could be something else. In your case it's either apache.

2. Because that's the user PHP is running as and copying creates a new file.

3. Because that's the original owner:group of the file and moving doesn't change ownership.

4. Because 0755 is the default permission.

5. Because moved_file.txt is owned by a different user, so only that user (and root) can change ownership and permissions.


Here's your homework:

- Find out what user/group your PHP is running as. Look at the actual configuration, not tutorials or articles on the internet.

- Learn about Unix file permissions.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.