Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PHP upload permission problem

right guys ive ran into a problem with file permissions with the following upload form. a text file is passed to the upload/ dir by global users.

mysite$ ls -l
drwxrwxrwx 2 user user 4096 2010-09-24 13:07 upload

but as I am not logged in as root, the new file uploaded to the domain saved itself in the upload/ dir with limiting permissions and cannot be modified. eg.

upload$ ls -l
-rw-r--r-- 1 www-data www-data 3067 2010-09-24 13:07 Readme.txt

this problem is obviously the same for all files added to the upload folder by global users. once the file is uploaded I need a way of changing the file rights without embedding the root password into a php script running on the domain. please help!

is there any way to associate the same rights to files as the containing folder when new files are added?

submit form:

<html>
<body>

<form action="upload_file.php" method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" /> 
<br />
<input type="submit" name="submit" value="Submit" />
</form>

</body>
</html>

upload_file.php:

<?php
if ($_FILES["file"]["type"] == "text/plain")
  {
  if ($_FILES["file"]["error"] > 0)
    {
    echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
    }
  else
    {
    echo "Upload: " . $_FILES["file"]["name"] . "<br />";
    echo "Type: " . $_FILES["file"]["type"] . "<br />";
    echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
    echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";

    if (file_exists("/home/user/mysite/upload/" . $_FILES["file"]["name"]))
      {
      echo $_FILES["file"]["name"] . " already exists. ";
      }
    else
      {
      move_uploaded_file($_FILES["file"]["tmp_name"],
      "/home/user/mysite/upload/" . $_FILES["file"]["name"]);
      echo "Stored in: " . "upload/" . $_FILES["file"]["name"];
      }
    }
  }
else
  {
  echo "Invalid file";
  }
?>
like image 453
JB87 Avatar asked Jan 22 '23 09:01

JB87


1 Answers

The user, that initially writes the files into your "/upload" directory, is the one that started the Apache instance running a PHP module.

In other words, PHP is the "owner" of all uploaded files and through a PHP script you can change the permissions of all relevant uploaded files without providing any credentials at all:

PHP chmod function

A quick and dirty hack to make uploaded files writable to all users would be

else 
      {
      move_uploaded_file($_FILES["file"]["tmp_name"], 
      $f="/home/user/mysite/upload/" . $_FILES["file"]["name"]); 
      chmod($f, 0777);
      echo "Stored in: " . "upload/" . $_FILES["file"]["name"]; 
      }
like image 58
Saul Avatar answered Jan 28 '23 19:01

Saul