We are having a project that allows users to backup there data to server through php upload,running on Linux server.
If users upload any executable file it will be automatically renamed to some other name after the upload and removes execute permission from the file.
Can this can cause security problems.
Can hacker uploading virus can still work without execute permission and its actual name.
Upload location is not /var/www its in a separate Storage Device.
My Assumptions: You're running Apache.
.exe suggests you're talking about Windows executables, but your tags indicate you're talking about a Linux server. 'Hackers' wouldn't be able to execute Windows executables on a Linux server no matter what name or permissions you give them.
The risk isn't that they can run their code, the risks are that they can force the web server to upload the file to another location and as a result, gain arbitrary access. Or, they can upload a PHP/other file and then have the web server execute that file (which doesn't need execute permissions, only read permissions) and gain access via that route. So the first thing you need to do is actually make sure any file uploaded, is in a location that Apache refuses to read files from.
In response to your comment,
If you ensure the file, once uploaded, is in a location Apache is not allowed to serve content from, or has permissions which prevent Apache from reading the file, then it is likely that will mitigate some of the problems.
However, please note, this is not a comprehensive set of measures you need to undertake to protect your server, it was just the first one that popped into mind. I was just trying to point out your question suggests you're not aware of the real risks, and you may need to do some research in to securing web services which allow content to be uploaded.
