Uploading files and dangerous permissions.

jtown

Hello all.

I am creating a content management system for a website and I need to include file uploading. This is so the users don't have to ftp into the server to place the files. In order to do this I need to make a directory rwx (call this folder 'uploads') by all correct?

This seems a bit dangerous. Is there anything I can do to help make this more secure? The link to the 'uploads' folder will be visible when people access those documents from the public site.

Thanks!

devinemke

couple ideas:

if you are using Apache, you could store the files in an htaccess password protected directory and only give out the login info to allowed users.
store the files outside of the document root all together and serve them up via the [man]header[/man] function. you would still need to implement your own authorization routine so only ceratin users could access the [man]header[/man] script itself.

jtown

What if the files need to be accessed by all visitors?

How dangerous is it for the hacker to know the directory that is 777'd?

How does everyone else do this?

kburger

Why would it need to be '777'? It only needs to be readable and writeable by either the user or the group that the webserver runs under.

Assuming you're using Apache and the webserver runs as the user 'apache' and group 'apache' the upload directory needs to be:

apache:whatevergroup 600

whateveruser:apache 060

Weedpacket

Or at least 644, to allow everyone to look, but not touch.

jtown

for some reason it never worked without permissions set to 777.

Hmm ... I guess I should test this again.

644 is fine?

kburger

Again, that would depend upon the user:group of the webserver and the user:group of the upload directory.