1

I'm running Centos 5.5. I need to create / write some files with a PHP script. The script only works if I have the permissions of the directory in which the files are to be created / written set to writable for everyone, ie:

chmod a+w my_directory

The script is working fine, but having my directory writable like that is obviously BAD.

My question is, is there a way to allow selected programs (such as PHP) permission to write and create files while keeping everyone else out?

Many thanks

Joe
  • 201
  • 1
  • 4
  • 13

1 Answers1

2

Make the files/directories PHP needs to write to owned/writable by the user or group that PHP is running as (usually your web server's user/group).

Note that while this configuration is more secure than world-writable files it is only as secure as your code and your webserver configuration. Plan accordingly.

voretaq7
  • 79,879
  • 17
  • 130
  • 214
  • Hi thanks for your answer. I know I can change the user permission with chown and the group permission wih chgrp (and chown), but could you tell me how I find out which group or groups php is running as please. I know you can use groups but 'groups php' isn't working. – Joe Jul 20 '11 at 18:09
  • Put this in a page on your website and see what it returns.`` This is for Linux. – ablackhat Jul 20 '11 at 18:25
  • @ablackhat - Thanks for that. I get that the group id and user id is apache. I also did a 'cat /etc/group' command which I've just read about and apache was in there. But how do I specifically get the user and or groups that php belongs to? Can php belong to anything? I'm assuming I have to change the file permissions inmy directory to apache. But I'm really not sure if I have to do that just for the user or root or both and importantly why? Cheers. – Joe Jul 20 '11 at 18:35
  • @Joe - PHP is executed as the user/group running the web server, absent other specific configuration changes. – voretaq7 Jul 20 '11 at 18:40
  • I've changed both the user and the group for the relevant directory to 'apache' which has sorted out my problem. What is the difference between changing the group and the user? – Joe Jul 20 '11 at 18:41
  • @Joe - One is the user, and one is the group (not being facetious - that's really the difference). See http://www.freebsd.org/doc/handbook/users.html for what's probably a better explanation, specifically the introduction and the section on groups which talk about how permissions/access are determined :-) – voretaq7 Jul 20 '11 at 21:31