Look to see what I am doing ---(vincent)

Anon

Ok, guys what I am trying to do.. Take a look. I have a domain control panel. right now i need to get working (upload file per domain that logs in).
But I can not give IUSER Write permissions on the domain because of secuerty...
Please take a look
www.nexflo.com
click on login
username : tester
password : tester

click on account management..
right there i am trying to enable users to be able to upload files and view there folder directory...
any idea's

[deleted]

What kind of file are you uploading there? it just says 'upload file'

Anon

The files need to be
.php
.php3
.jpg
.html
.htm
.js
.css
.shtml
.idx
.zip
.mdb
It goes on.. Everyfile type that is needed for web serving
they need to be able to upload all types of files except
.com
.exe
.bat
.vbs there are a couple of more i am sure.. need to think about it
but you get the idea

Anon

I have made a user called
upload
upload
that can read write and delete
this is for testing only...
but
i want the upload.php to connect as
user
upload
upload
so that they can write and read and delete the file in the directory
....... It can not be the IUSER
because that is just to easy to somebody to hack in...
🙂 thanks vincent for you help... this one has got me thinking 🙂

[deleted]

Look, forget all about this web interface, just use FTP. It does all you want and more, including user-based security.

Anon

Man, that does not help. I understand that FTP work and how it works.. But this is what I am trying to do. It need to be able to upload files..
The reason for this
is all my plans do not include FTP access

Anon

If i give IUSER write access IT WORKS.
Ok, i have no problem uploading a file..
IT is with
when upload.php loads
it need to login as
uploader
uploader
not as IUSER

[deleted]

sigh

There is no Loggin in. nothing logs in, nobody logs in. The webserver runs as the IUSER (apperently) and that is the ONLY user that has anything to do with it at all.

The only thing you can do is let the IUSER write the file to the directory of the end-user, and change the file ownership to whatever you need.

But once again, this is an FTP task, not HTTP.

What if a user needs to upload 500 files? WIll you make him go to the upload page 500 times? Use FTP.

trooper

Chris

If you absolutely MUST enable the user to upload then upload the file and then simply move the uploaded file to a different directory. One that the user has write persmission to. Then at least you have the file on the server.

Vincent is correct that this is an FTP role and not an HTTP one.

Any questions just ask away

Gary Mailer

Anon

That will not work eather..
Please let me know of a way it can be done.. Maybe with java or asp...
If you have any ideas please let me know

mithril

Unfortunately, you've gotten all the ideas and suggestions you're likely to get. This is what it boils down to:

1) HTTP is a connection-less, unidirectional protocol. Is is not designed for file uploading.

2) HTTP can do file uploads through the <file> form element. This is a one to one relationship. One file can be uploaded for every occurance of the <file element. There's no way around this fact of life using any existing technology; this includes PHP, ASP, C, Java, JavaScript, JSP, ColdFusion, CGI, etc. Accept it.

3) There's a reason why FTP is named File Transfer Protcol. A hammer can pound in a screw, but it's much more efficient and sensible to use a screw driver. It's the same thing with what you're talking about.

4) There is, can only ever be, one user account that the webserver is running as. That is the only account that that can copy files around the server's filesystem. The webserver user account becomes the default owner of any files uploaded though a form. If the copied file(s) need to be owned by another account, you have to change the permissions once the copying is complete.

If you're so insistent of using a browser-based interface exclusively, your only real option is to write a browser-based FTP client.

You will still need an FTP server running and all your customers are still going to need FTP accounts to be able to upload. Thus, it makes more sense just to give them normal FTP access.

If you're worried about about potentially harzardous files being uploaded, make sure IUSER_* doesn't have execute permissions and configure your FTP server to refuse files of the given extension.

If you're still worried, tell your customers that filetypes X,Y,Z are not allowed and will be deleted. Then write a script which trolls though your user folders on a regular basis deleting all the banned file types based on their mime-type (not the extension.... to easy to fake).

-geoff