mkdir() &amp; permissions

mkdir() & permissions

Anon

PHP & Permissions.

I use mkdir( path, 0775 ) which is intended to make a directory underneath a /des directory. This only works if the /des directory has:
drwxrwxrwx 6 master srmag.com 512 Feb 18 01:45 des

which is more permission than I want to give to /des or that I think is necessary for PHP to create directories. This would allow everyone complete access to the /des directory. I was under the impression that PHP only needed owner or at worst group permission. Is there someone who can shed some light on this for me. I'm sure there is a way for mkdir() to work on a directory that is not completely accessable to the world.

Anon

If you don't want to give world permissions to a directory then the group on that directory must be the same that runs the webserver (usually nobody). Or, you have to make the web process a member of the group that owns the directory (not usually a good idea).

If you just give owner and group permissions and a user is not either of those, of course they can't do anything in the directory without world permissions, you probably want your directory to look something like this

drwxrwxr-- 6 master nobody 512 Feb 18 01:45 des

to get it to work without giving world permissions.

Tim Frank

Anon

I appreciate that info. I did that. /des is now owned by nobody (which is the server user on Apache). Having an ownership of nobody on /des allows the php code to mkdir() under it. However, I can view this directory from a browser. I have used various combinations of permissions and wonder if they have any effect since the owner is nobody. My questioning is based on this statement:

Apache runs as a special user called nobody. This means that for Apache to serve up your Web pages to visitors, the files either need to be readable to the world, or they need to be owned by the nobody user.

Q1. Is it standard practice for all my pages and directories to be owned by (nobody)?

Q2. My goal is to have my pages served, my php functions like mkdir() to work, and none of my directories viewable. Maybe I am asking too much of this user/permission stuff. Maybe the solution is to place an index.html in every directory.

Q3. A related question. I have a directory /phpMyAdmin This is a front end to my databases. I want a password dialog to come up when I access it. This used to work on my old server which used .htaccess files. My new unix apache server does not seem to have this. I have looked in all the user guides. How can I accomplish this?

Thanks

Anon

Randy, I will try and address each point below.

I appreciate that info. I did that. /des is now owned by nobody (which is the >server user on Apache). Having an ownership of nobody on /des allows the php >code to mkdir() under it. However, I can view this directory from a browser. I >have used various combinations of permissions and wonder if they have any >effect since the owner is nobody. My questioning is based on this statement:

Apache runs as a special user called nobody. This means that for Apache to >serve up your Web pages to visitors, the files either need to be readable to the >world, or they need to be owned by the nobody user.

First of all when you say that the directory /des is viewable through the browser it kind of scares me a little. The reason is that /des would indicate that it would be off of the ROOT directory of your server. What do you have set as your document root in your apache httpd.conf? I hope you meant that you had a directory like http://myserver.com/des and on your file system it is really /my/web/stuff/des 🙂

Q1. Is it standard practice for all my pages and directories to be owned by >(nobody)?

No, it is not a standard practice to do so. Usually ownership is left as the user/group that created the file and you merely add o+r to the file in order to make it world readable (and thus by the nobody user running the webserver).

Q2. My goal is to have my pages served, my php functions like mkdir() to work, >and none of my directories viewable. Maybe I am asking too much of this >user/permission stuff. Maybe the solution is to place an index.html in every >d....

There are options inside of apache that tell it whether or not to display the directory contents when you browse to a directory without specifying a file and it does not have an index.html file in it. If I recall it is "Allow Indexes" and it can be placed inside <Directory> blocks in the httpd.conf. If you never want directories browsable then you can remove that.
If you want to "cheat" you can make your directories with only o+x instead of o+rx which allows the files in the directory to be read (assuming they are set as mentioned above) but it will not allow the directory to be displayed if there is no index.html file.
When you want functions to read/write to the file system and you are using the mod_php DSO then you have to make them owned/grouped by the nobody user or you have to make them world read/write. The latter is not the best option by far.
If you want to guarantee that the files in the directories for uploads or whatever are not accessible through the web you can place them outside of your apache document root. That way you cannot put in any URL that would access the directory, but the server process could still read/write from the directory.

Q3. A related question. I have a directory /phpMyAdmin This is a front end to >my databases. I want a password dialog to come up when I access it. This >used to work on my old server which used .htaccess files. My new unix apache >server does not seem to have this. I have looked in all the user guides. How >can I accomplish this?

You need to use .htaccess files. If you find that you put the files in the directory but the prompt does not come up for you, then you will need to check your httpd.conf and make sure you have "AllowOverride AuthConfig" inside of the <Directory> block where you want to use it.

You will want to browse the Apache docs for those sorts of things and look for the directives I have mentioned. I know it can be confusing and hard to find when you don't quite know what to look for. There are also most likely similar postings on these forums. I know there are plenty on "how to protect your files" from being viewable via the web.

I hope that answers some of your questions.

Tim Frank

sepodati

So if user 'nobody' is not in the same group as you and it wants to read/server a web page, the file must be world readable?

Now, if you want PHP to create a file or directory, then 'nobody' must have write permissions to that directory. So the only solution is to make the directory world writable, right?

Another issue that I always run into, when PHP creates a file, or copies an image that was uploaded, the file is now owned by 'nobody'. I can't delete it from my own web space b/c I don't own it...

---John Holmes...

Anon

John Holmes wrote:

So if user 'nobody' is not in the same group as you and it wants to read/server >a web page, the file must be world readable?

That is correct. If you don't set the file as world readable and try to access it through the web you will get "Permission Denied". Try it for yourself just to be sure.

Now, if you want PHP to create a file or directory, then 'nobody' must have >write permissions to that directory. So the only solution is to make the directory >world writable, right?

No, that is not the only solution. If you make the nobody user the owner of the directory OR the group owner of the directory then you do not have to make the directory world writable. You can then make the directory only user OR group writable. The group method is probably the better idea and relates to your next question.

Another issue that I always run into, when PHP creates a file, or copies an >image that was uploaded, the file is now owned by 'nobody'. I can't delete it >from my own web space b/c I don't own it...

If I remember things correctly, if the file was moved to a directory that was owned by you and the group was set to nobody and both you and nobody have full rights to that directory then your account should be able to delete any file inside that directory. It should just give you a warning message about deleting a protected file. Now, I'm not sure how you handle that confirmation through PHP file functions, but it should be possible.

Hope that helps.

Tim Frank
---John Holmes...

sepodati

Thanks for the information Tim...

How do I go about changing the directory so that 'nobody' and I are both in the same group and have read/write access to it, and only world readable access for everyone else?

I have a directory images/ like this:

drwxrwxrwx 5 sepodati sepodati 4096 Feb 15 14:25 images

PHP runs as user 'www'

Right now I have the permissions on images/ at 777, as you can see. This is so that 'www' can create directories under images/ and copy images into the directories. I use PHP to create/delete the directories and pictures.

Here is what's under images/

drwxrwxrwx 5 sepodati sepodati 4096 Feb 15 14:25 .
drwxr-xr-x 6 sepodati sepodati 4096 Feb 7 07:42 ..
drwxr-xr-x 2 www www 4096 Feb 15 14:25 1
drwxr-xr-x 2 www www 4096 Feb 7 07:34 16
drwxr-xr-x 2 www www 4096 Feb 7 07:37 17
-rw-r--r-- 1 sepodati sepodati 178 Feb 4 06:10 no_pic.gif

Is there something I can do with chgroup or chmod to make it so that I can delete these numberical directories after PHP creates them? Or do I have to rely on my hosting company to make some changes to the groups??

Thanks again for all of the help.

---John Holmes...

Anon

Hmm... Well, here is what my quick test found... if you can become the www user (which would be easy through a PHP script) then you can chmod those directories/files however you want since www owns them. So, build a PHP page that changes the dir/file permissions to world 7 and then you can delete them all you want.

This of course isn't the best way to do things, but you could build yourself a little file management page (that required login/pass) that would chmod and delete whatever files you wanted to get rid of.

Hope that helps.

Tim Frank

Anon

Thanks for that info Tim. I am now looking at apache docs. I just did not expect the learning curve to get harder when I upgraded to a new server with the same company. I had .htaccess working on the old server but it still does not accept the id and password after I followed all the indtructions I could find. I sent tech support an email.

Anyway, having nobody own the mkdir() directories is something that makes sense for me (that is the default behavior). When they are create, they have -drwx------ even though i have tried mkdir(path,0775) & 0777. The problem I have is that my ftp client cannot access these drwx------ directories. I am thinking if they are owned by nobody as drwxrwx--- then the ftp client can read and write them. That's just a guess. I log on as the main admin account given me by the ISP. Any ideas?

Anon

I just confirmed that a directory owned by nobody as drwxrwx--- (chmod 770) can be read/write by my ftp client, as I suspected. So, I need mkdir(path,0774) to work as expected. So far, I only get drwx------ irrespective of the 0774 parameter I use.

Thanks.

Anon

Randy,

Have you tried using the chmod() function from PHP after the directory has been created to change the permissions?

Tim

Anon

That works great.
Thanks Tim.

sepodati

There is also a umask() function that you might have to use. The value of the mask is subtracted from the permissions that you try to set. The manual says to try something like this...

$old_mask = umask();
umask(0);
mkdir("dir",0750);
umask($old_mask);

maybe it's just easier to do chmod(), I don't know...

---John Holmes...