Hi. I want to do an upload script that will allow logged in and verified users to upload a file to a folder on the server. Is it possible to change the folder permissions from the php script, then change them back after the upload is complete? I don't really want to leave the folder open to read/write/access at all times... Unless this really isn't that big a deal. Maybe just putting the folder one level above the web root would take care of the possible security issues? Any ideas or comments?
Changing directory permissions from a script...
hi
q: what would be the benefit of changing permissions of the folder ?
a: think a bit =D
since you change the permissions in your script, and your script is the only(?) directive capable of uploading the file...it would be useless...your script has to be 'secure'.
What os is the server running? Do you have root access? If you give write access to the user in which the web server runs under and write a secure script you shouldn't have any problems.
Okay, perhaps my brain isn't working, but I don't think I'm following here. The way I've got it set up is that, upon valid log in, I set a session variable. I then check to make sure that the variable is set on every page - if not, I've got a header call to send the user back to the log in page. So far, it's been successful. Is this not nearly secure enough, or am I missing something?
The server is windows based, and this is the only script to upload files to the server. There's obviously an error catching function built in as well to make sure that the file extensions are .jpg, .gif, or .txt, but I just wondered if I should be concerned about leaving a folder on the server with full permissions, or if it is better to change those at run time, and only for the duration of the upload process.
Sorry if this doesn't make sense. I've been working the yard all day, and I think my brain is sunburned...
Well, if you really want to change directory permissions from a php script you could try using the php system() function and the cacls system command. If you type cacls at a command prompt you will see what kind of options it can take. Of course, the user that your web server runs under would have to have admin privileges.
Listen though. If your web server has permissions to change permissions on a directory how would changing permissions at run time be more secure? If someone hacks your web server would they not be able to change permissions? Also, if you are really concerned about security I would suggest using some type of UNIX based os. Particularly OpenBSD.
I do understand where you're coming from, but it isn't a correct way of looking at things. You are going more in the direction of security through obscurity which is definately not the way to go.
Originally posted by jlarson
Listen though. If your web server has permissions to change permissions on a directory how would changing permissions at run time be more secure? If someone hacks your web server would they not be able to change permissions?
Excellent point, there.
I do understand where you're coming from, but it isn't a correct way of looking at things. You are going more in the direction of security through obscurity which is definately not the way to go.
Thank you for the advice. I'm thinking I may just play around with using the server control panel to password protect the entire directory. If there is any specific advice or hints on more intelligent ways to do this, I'd appreciate it greatly.