0

i have a upload function on my cms using POST (php). everything works fine but the directory needs a 777 setting otherwise i get errors.
i would like to bring this down to like a 644. how could i do this?
would this setting be in httpd.conf?

t q
  • 253
  • 1
  • 5
  • 15
  • Possible duplicate of [this question](http://serverfault.com/questions/357108/what-are-the-best-linux-permissions-to-use-for-my-website). – Nic Mar 17 '12 at 03:05

2 Answers2

4

Make sure that Apache (httpd) owns the directory. This will allow Apache to put files there without needing to 777 the entire directory.

Use chown -R apache:apache /path/to/upload/dir

EDIT: As cyberx86 pointed out, the actual PHP process is what will be doing the file writing. Therefore the PHP user is the one that needs to have ownership of the directory to set more restrictive permissions. When paired with Apache, PHP instances are generally child processes of the parent Apache process.

Joel E Salas
  • 5,572
  • 16
  • 25
  • how does apace own the directory? – t q Mar 17 '12 at 02:41
  • 2
    @Joel meant the user who is running the apache server. Mostly in distros, apache process is run by nobody or apache or www-data. – kaji Mar 17 '12 at 02:45
  • 5
    @tq: it is worth noting that PHP does not always run as the same user as apache (e.g. if using suphp, or some FastCGI setups) - the folder and file ownership needs to be the PHP user, so that your CMS is able to write to the folder without permission errors. (Typically the $_SERVER["USER"] will tell you what user PHP is running as - also available from phpinfo()) – cyberx86 Mar 17 '12 at 02:47
0

I think the best way to do with would be with acl's. You can have the directory owned by nobody:nobody, and then give the user that your application runs as have full read write access.

This removes other people in a group having access. It will remove the 'other' acce

chown nobody:nobody /path/to/folder

Then remove the 'other' ability to see the folder.

chmod o-rx /path/to/folder

Then give whatever user writes to read/write/execute the folder.

setfacl -m "u:apache:rwx"
setfacl -m "u:yournormaluser:rwx"

then add the acl option to fstab.

Then remount.

mount -o remount /var
Justin S
  • 350
  • 3
  • 15