0

PHP 7 uses the default system folder (/tmp) to store uploaded files. PHP allows you to change the settings and change the upload destination directory. Some sites indicate to change this folder to another one, since the /tmp permission is 777.

OWASP has nothing listed in the security recommendations. Should I really worry about changing this folder to another one or there are no risks?

Tom
  • 289
  • 3
  • 13

1 Answers1

1

I think it is usually not needed to change the upload folder, because

  • The default access mode of the temporary files is 0600, and they are owned by the user running the PHP process. This means that other users cannot access the files by default.
  • /tmp has the sticky bit set, which means that even its access permissions are 777, only the owner of a file can delete any files (and root, of course).
  • Usually servers are dedicated computers, and nowadays with containers and virtualization even more so. This means that there are probably no other users are present who might take a peek to the uploaded files in transit.
  • The files are there only temporarily, if the script handling the file upload exits, the files are deleted. So even if there are untrusted users/processes around, they would need a race condition (which might exist, BTW) to access the files, and they still need to overcome the access restrictions mentioned before.
  • If someone unauthorized from the internet manages to access the file system of your computer, the temporary uploaded files are the least of your problem.
Lacek
  • 7,233
  • 24
  • 28