|
Posted by frizzle on 04/05/06 03:34
bobzimuta wrote:
> Are you allowing your web server write permissions to the folder?
> Assuming the webserver runs as 'nobody' .
> 755 with ownership nobody, nobody . Otherwise you'll need
> 775 with ownership frizzle, nobody
>
>
> frizzle wrote:
> > Gary L. Burnore wrote:
> > > On 4 Apr 2006 15:10:39 -0700, "frizzle" <phpfrizzle@gmail.com> wrote:
> > >
> > > >Hi,
> > > >
> > > >I am at the base of an FTP thingy i'm building, and i noticed that
> > > >it would only work if i chmod the folder 777, i thought to remember
> > > >correctly that previously on another site chmod 744 was enough,
> > > >now it isn't.
> > > >Am i mistaking, and should it always be 777 ? And isn't a chmodded
> > > >777 folder much more vulnerable?
> > >
> > >
> > > Most definitely more vulnerable.
> > >
> > >
> > > You want 755, not 744. You need the x bit set. It should look like
> > > this:
> > >
> > > drwxr-xr-x ... ...
> > >
> > >
> > > The x on a directory means search, not execute. If you can't search
> > > the directory, you can't read the files in it.
> > >
> > > If you want people to be able to find the files but not list the
> > > directory when they're on the server, you can set the directory as 711
> > > which would look like:
> > >
> > > drwx--x--x ... ...
> > >
> > >
> > >
> > > >Frizzle.
> > > >
> > > >
> > > >Code sofar below:
> > > >
> > > >
> > > >++++++++++++++++++++++++++
> > > ><?php
> > > >
> > > > require_once('../inc/globals.php');
> > > >
> > > > if( isset( $_FILES['image'] ) ){
> > > >
> > > >$ftp_conn = @ftp_connect( $default_ftp_server )or
> > > >die('<b>Error!</b>');
> > > >@ftp_login( $ftp_conn, $default_ftp_user, $default_ftp_pass )or
> > > >die('<bError!</b>');
> > > >
> > > >$uploaddir = '../items/';
> > > >$uploadfile = $uploaddir . basename( $_FILES['image']['name'] );
> > > >
> > > >if ( move_uploaded_file( $_FILES['image']['tmp_name'], $uploadfile ) ){
> > > > echo "File is valid, and was successfully uploaded.";
> > > >} else {
> > > > echo "Possible file upload attack!";
> > > >};
> > > >
> > > >ftp_close( $ftp_conn );
> > > >
> > > >};
> > > >
> > > >?>
> > > ><form action="<?php echo $PHP_SELF; ?>" method="post"
> > > >enctype="multipart/form-data" name="images" target="_top" id="images"
> > > >class="form">
> > > > <input name="image" type="file" id="image">
> > > > <br>
> > > > <input type="submit" name="upload" id="upload" value="Upload">
> > > > <input name="cancel" type="button" id="cancel" value="Cancel"
> > > >onClick="javascript:history.go(-1) ">
> > > ></form><?php
> > > >
> > > > if (is_dir($uploaddir)) {
> > > > if ($dh = opendir($uploaddir)) {
> > > > while (($file = readdir($dh)) !== false) {
> > > > if ($file !== '..' && $file !== '.') echo "filename: $file :
> > > >filetype: " . filetype($uploaddir . $file) . "<br>\r\n";
> > > > }
> > > > closedir($dh);
> > > > }
> > > > };
> > > >
> > > >?>
> > > >----------------------------------------------------
> > > --
> > > gburnore at DataBasix dot Com
> > > ---------------------------------------------------------------------------
> > > How you look depends on where you go.
> > > ---------------------------------------------------------------------------
> > > Gary L. Burnore | ÝÛ³ºÝ³Þ³ºÝ³³Ýۺݳ޳ºÝ³Ý³Þ³ºÝ³ÝÝÛ³
> > > | ÝÛ³ºÝ³Þ³ºÝ³³Ýۺݳ޳ºÝ³Ý³Þ³ºÝ³ÝÝÛ³
> > > Official .sig, Accept no substitutes. | ÝÛ³ºÝ³Þ³ºÝ³³Ýۺݳ޳ºÝ³Ý³Þ³ºÝ³ÝÝÛ³
> > > | ÝÛ 0 1 7 2 3 / Ý³Þ 3 7 4 9 3 0 Û³
> > > Black Helicopter Repair Services, Ltd.| Official Proof of Purchase
> > > ===========================================================================
> >
> > Hmm, i still get an error; i chmodded both the destination folder AND
> > the executing script-file 755.
> >
> > Warning: move_uploaded_file(../items/bg.jpg): failed to open stream:
> > Permission denied in
> > /home/httpd/vhosts/domain.com/httpdocs/new/admin/ftptest.php on line 15
> >
> > Read mode Write mode Execute/search mode
> > Owner + + +
> > Group + - +
> > Others + - +
> >
> > Frizzle.
Standard (DW created files/dirs) have user 'domainname', permissions
'rwx r-x r-x ',
Ftp app uploaded (with chmod 777) have user 'apache', permissions 'rw-
--- --- '
Frizzle.
[Back to original message]
|