I am trying to figure out how to set permissions on my server.

I run a web site where the user uploads pictures.

Pictures are stored in /pictures

If user "joe" with id 545 uploads a picture, the picture must go to /pictures/545/picname.jpg

Because a directory is created on the fly when the user uploads, I guess I have no choice to set permission 0777 on directory pictures. Is it right?

The sub dir 545 (/pictures/545) will inherit the same permission, so it will also be 777.

By setting permission to 777, I think I am creating a huge security hole. Is there a way to do not set permission to 777?

Pictures are uploaded with account nobody.

My admin account is not a root account.

    I´m not sure, but permissions 755 aren´t enough?

      If you are running PHP as an apache mod, then the files loaded through an HTML form will be owned by the apache user (usally nobody or apache). The only permissions you will need is for the apache user to have rwx on the directory in question. 700 should be all the perms you need for this type operation.

      This still presents a security hole as anyone who has access to apache on your system will have access to write to this dir. If you are doing it this way, make sure you put good error checking on any user input, and obviously password protect your scripts with .htaccess or something.

        Write a Reply...