[nycphp-talk] Setting directory permissions
Hans Zaunere
zaunere at yahoo.com
Fri Apr 18 21:40:45 EDT 2003
--- jsiegel1 at optonline.net wrote:
> Hans,
>
> What would you suggest for a set of pages that use a set of pics that the
> end user can upload?
If you're looking for a picture gallery option, then http://gallery.sf.net is
probably your best bet. It requires Apache writable directories and
safe_mode=off (PSaw may be able to expand on this, since he implmented it for
NYPHP.org). This isn't inherently insecure, but a shared environment and a
clever malicious user, may be food for thought.
> Should I upload them (the pics) into a database as blobs?
This certainly is the 'cleanest' option; but performance could be a
consideration, especially for large images.
Having apache writable directories isn't always a bad thing, but if you end
up writing the code yourself, just be very careful with paths and such.
H
> Jeff
>
> ----- Original Message -----
> From: Hans Zaunere <hans at nyphp.org>
> Date: Friday, April 18, 2003 8:20 pm
> Subject: Re: [nycphp-talk] Setting directory permissions
>
> >
> > Hi Jeff,
> >
> > --- jsiegel1 at optonline.net wrote:
> > > I'm sure this is an easy one but...since I'm still learning
> > PHP...I'm> scratching my poor bald head. ;)
> > >
> > > Here's a code snippet:
> > >
> > > //create new directory with the id name if it doesn't exist,
> > chmod to 777
> > > if(!is_dir($id)) {
> > > $root = getenv('DOCUMENT_ROOT');
> > > $id = $root . '/pic_test/' . $id;
> > > mkdir($id,0777);
> > > }
> >
> > Note that the is_dir($id) call isn't nessecarily checking the dir
> > you think
> > it is.
> >
> > > The problem is...this only works if I chmod the subdirectory
> > "pic_test" to
> > > 777 using my FTP application. However, I want to quickly change the
> > > permissions via PHP code, upload some pictures with my form,
> > then change
> > > the permissions back to 755.
> >
> > Assuming you're running PHP as an Apache module, you'll be limited
> > to the
> > user priveleges of Apache itself. While in most cases this is
> > good, for
> > writing to the filesystem things can get hairy.
> >
> > For one, you won't be able to change the permissions of a
> > directory/file you
> > don't own (read: apache's running user doesn't own). So, trying
> > to change
> > the permissions from less-restrictive to more-restrictive
> > 'quickly' is a moot
> > point, since if a malicious page is written, he'd just change the
> > perms if
> > desired anyway.
> >
> > It's a catch-22 (as it should be) and is only solvable by having
> > properownership (or improper ownership, depending on your
> > viewpoint), suEXEC
> > (achtung!) or a daemon to handle file operations.
> >
> > HTH,
> >
> > H
> >
> >
> >
> >
> >
> >
> >
> >
>
>
>
> --- Unsubscribe at http://nyphp.org/list/ ---
>
>
More information about the talk
mailing list