file and folder permissions

**a2j** · December 28th, 2011

I'd like to have a directory on my web server, where I can host my random images that I can quickly upload using php script. but I have concerns about the security of this deal.

in a "root" directory I have two folders, "uploader" and "files". "uploader" is where my php upload scrips are. Its protected with .htaccess. And "files" where it uploads images. www-data has RWX and everyone else is R-X.
would it be possible for somebody to upload any files to "files" folder and possibly execute them? after all, apache can read write and execute. but my php scrips allows only image uploads.

please, give me a possible scenarios of what could happen. Thank you.

**CharlesA** · December 28th, 2011

I wouldn't give www-data write access for that reason.

I'm not sure how your uploader works, but you can set it to be run as a different user and give only that user rwx access?

**a2j** · December 28th, 2011

looks like that is how most content management systems run. uploads directory is writable by www-data user.

**CharlesA** · December 28th, 2011

Originally Posted by a2j

looks like that is how most content management systems run. uploads directory is writable by www-data user.

Hrm, if that's the case, I would just leave it.

*shrug*

**TheFu** · February 2nd, 2012

Originally Posted by a2j

please, give me a possible scenarios of what could happen. Thank you.

A poorly written upload script or file permissions could allow someone else to take over your server. Sound bad?

You probably want to use someone else's, mildly popular, upload script if you insist on doing this with PHP over the web. Perhaps running a well used CMS like Drupal or Joomla would be a better choice? Regardless, check for updates a few times every week and install them so your box isn't owned.

If you will be the only person uploading image files, consider using rsync over ssh to push the files from your non-internet machine - perhaps automatically every day using ssh-key authentication to your host?

There are probably thousands of ways to accomplish what you want, but only 10 ways to do it securely.

-- I approved this message.