|directory permissions security|
I know this topic is done to death, but I can't find a clear answer to my specific question. I have a php script that creates files on my server, for which I need directory permissions 757.
My question: Is this still a security issue even if I do not allow users to upload files to my site. That is, can hackers do this completely on their own?
If so, I need advice on work-arounds, none of which I can get to work. I've tried:
1) .htaccess "deny from all" - my script no longer writes
2) chmod to 757, create & write to file, chmod back to 755 - I get chmod error "Operation not permitted"
3) chown to change user group permissions for write access - not even close to figuring out how to do it.
4) put the directory above root dir - haven't tried; does it really solve the problem?
I just got this working. The solution is pretty easy so here it is for others with the same issue:
1. using ftp, change file permissions for the directory ABOVE the directory in which you want the files to 757
2. use PHP mkdir("directory/path", 0755) to create the directory within the one from step 1
3. PHP chmod("directory/path", 0757) [note - you can try combining steps 2 & 3 with mkdir(..., 0757), but my server didn't allow it]
4. PHP file_put_contents() to create and write the file in the directory PHP created
5. PHP chmod("directory/path", 0755)
6. *** Remember to ftp the directory in step 1 back to 755
Thereafter, you should be able to create, write to, and update files in your PHP-created directory.
In short, php can only chmod to folders and files that it creates, so set permissions to 757 via ftp, let php create the directory, then php can chmod back & forth as needed when writing.
If anyone sees a problem with this fix, please post for my benefit and others.
I just discovered that steps 3 & 5 above may not even be needed -- php can write to directories that it creates with 755 permissions.
The problem is probably the group/owner permissions.
What group and owner are your directory and files being created as, your account or apache:apache?
Also, are you hosting the account on the server using a control panel like Plesk or cPanel?
I'm currently on a shared hosting plan with a provider. My web host has its own admin panel; I don't recognize the two names you mention and doubt they're involved.
I don't really know the group & owner config either, though when I run phpinfo, I do get some apache settings if that means anything.
As I said, the problem is fixed (unless I'm wrong somewhere in my post above), but I am interested in tips on working with owner & group permissions -- don't know much about that beyond basic chmod.