1

I asked a question over at Information Security and received an interesting response which in part included the following:

move them off the server root

So in the context of moving uploaded files "off the server root" I'm not currently sure how to differentiate what directories are and are not owned by the root user who has access to ... everything?

So how do we define the server root in this context and how can I determine if a directory is not a "server root"?

Bonus points for helpful suggestions in regards to where I should move the files (that are accepted) once they are uploaded.

John
  • 134
  • 10

1 Answers1

1

You mean the web server root directory. The web server will manage the applications and content from this location. Why move them from this root location?

They should be kept in a separate area - you don't want 100's of file uploads cluttering your nice clean, shiny web root. It's an added maintenance burden. File uploading can accumulate to occupy a large volume of disk space. You may have a particular backup regime for these files.

You can more easily manage the permissions of the upload directory and files uploaded to it. Don't want any nasty users getting access to an area which could compromise your web services.

You could even have a location completely outside the web server root directory hierarchy. A mounted file system or separate file server, for example. Or perhaps an ${SERVER_ROOT_DIR}/uploads directory will suffice.

suspectus
  • 658
  • 1
  • 5
  • 11
  • I need *code* to go along with the explanation please. I need definitions of why the "server root" is a different user than whatever PHP is using in example and if I'm updating via FTP how*that* user is different from the PHP user. – John Sep 27 '19 at 20:03
  • "move them off the server root" - this refers to a *location* on the web server from which the web content is managed and ultimately delivered to the browser. It does not refer to a root user. The web server processes will have owned by the service's user (typically www-data). That will be the user which owns the PHP file upload process. As for code, this depends on what you want to do. But there are hundreds of examples of PHP file uploads on the net. – suspectus Sep 27 '19 at 20:12
  • In example would `/home/accountu/public_html/` (for "Account User") be an example of what that other guy is talking about? If people used terminology in a strict fashion there wouldn't be this kind of confusion. – John Sep 27 '19 at 20:15
  • Yes. Agreed but that's in the nature of language. Humans don't communicate rationally most of the time. – suspectus Sep 27 '19 at 20:20