Jump to content

EXECUTE permission to WRITE? Really?


ChenXiu

Recommended Posts

PHP is owner of image directory with "permissions 660."
Why can't PHP write to it? (a "permission denied" error is generated.)
But if I allow execute permission ("760") then it works.
Why??

My script is:

$imagePath = '../imageDirectory/'.gif';
$image = imagecreatefromstring(base64_decode($raw_image_data));
$rotate = imagerotate($image,-90,0);
imagegif($rotate,'../imageDirectory/'.gif');

Is it because the imagerotate and imagegif functions need the execute requirements to be able to monkey with the image?

Thank you.

Sub question (maybe more important than the first question):
PHP is configured to run as "user = www-data" and "group = www-data"
I am also a member of the group "www-data."
For me to be able to read and delete files in that aforementioned imageDirectory, should the imageDirectory be chown www-data:www-data ?? or chown myself:www-data ??
(both styles work)

Thank you.

Link to comment
Share on other sites

1 hour ago, ChenXiu said:

PHP is owner of image directory with "permissions 660."

This is a fundamental difference between files and directories.  

On a file, the execute bit makes the file .. well .. executable.  

On a directory, the "execute" bit makes the directory "navigable", i.e. you can get "into" it.  

At present, you can see that the directory exists - you can 'r'ead it in a listing of the parent directory - but you cannot navigate into it.  To do that, the directory must have its Execute bit set.  

More typical permissions on a directory would be 750: User:rwx Group:rx Other:(None)

This link explains it better, albeit talking about NFS and UFS, but the principle applies to all types of file system. 

 

1 hour ago, ChenXiu said:

For me to be able to read and delete files in that aforementioned imageDirectory, should the imageDirectory be chown www-data:www-data ?? or chown myself:www-data ??
(both styles work)

It works because you're using the Group-level permissions, which allow you to delete things. 

You should leave it owned by www-data: that account is the owner of this data and works with it all the time; you're just popping in and out now and again (and, if you were to move on to another job, deleting your account would not take down the whole system!) 

 

Regards, 
   Phill  W.

 

  • Thanks 1
Link to comment
Share on other sites

On 6/15/2021 at 7:14 AM, Phi11W said:

More typical permissions on a directory would be 750: User:rwx Group:rx Other:(None)

Thank you very much for your answer. I think for the first time I'm "getting it."
For me, Permissions have always been like chess, string theory, and religion: lots of trial and error.... and faith.
Now, not only do I know what the typical permissions should be (750), I'm also "getting" what the r, w, and x mean.
Thank you!!

p.s. While I'm now finally getting it, I'm having fun lowering my permissions notch by notch... until something fails. Like having a window open just enough to let fresh air in, but not let rain in.

Link to comment
Share on other sites

On 6/17/2021 at 2:11 AM, ChenXiu said:

I'm having fun lowering my permissions notch by notch... until something fails.

Excellent! 

If anyone asks, you're now applying the Principle of Least Privilege, getting your application work with the minimum level of permissions - just what it needs and nothing more. 

Also, you are now qualified to laugh openly at anyone that runs their entire Application as root.  😉

Regards, 
   Phill  W.

 

 

 

  • Like 1
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.