0

I think this question should be something easy but after searching all over the web I couldnt find an answer, so I decided to ask here.

I have a file uploader in my website that works with php. The folder where files are being uploaded has 777 chmod. I also have a php script to list the files in that folder. What I need is to allow php to upload and browse files on that folder, but dont allow people to do it. The only solution I imagined is to chown that folder to another user different than default, so I could later chmod in filezilla and allow only owner to do it, so people will see the files trough the output of the php script, but not if they navigate to that folder.

Im using Debian, apache2. Id like to know what could I do.

To make it shor, my aim: allow php to upload, read, write and execute files in that folder, but not clients unless they use my php script.

Thanks in advance

hakre
  • 193,403
  • 52
  • 435
  • 836
Karevan
  • 139
  • 1
  • 16

2 Answers2

1

Put all the files you're talking about in their own directory. Add a .htaccess file to that directory. The contents of the .htaccess should be deny from all.

This will prevent any user from manually accessing the files as access will be blocked off. Your PHP script can still browse the contents of the file and serve it up as an attachment with the correct content type.

For more info on how to serve a file for download in PHP, read this: https://serverfault.com/questions/316814/php-serve-a-file-for-download-without-providing-the-direct-link

Community
  • 1
  • 1
Ayush
  • 41,754
  • 51
  • 164
  • 239
  • Could you explain me what do you mean with "their own directory"? I tried with .htaccess file, but I still can download the files from direct link. I dont want to serve the downloads any way. I just want to show whats on that folder with a php script (done already). But I dont want anyone to be able to download them in any way, just to upload. – Karevan Jun 07 '12 at 00:01
  • If you place a `htaccess` file in a directory with `deny from all`, all files in that directory are no longer accessible. – Ayush Jun 07 '12 at 00:05
  • Sorry for insisting but that isnt working for me, I added the .htaccess on the folder where my files are, with "deny from all" without quotes, but I still can download the files from browser – Karevan Jun 07 '12 at 00:11
  • Check your apache settings to ensure it is looking for htaccess files, and allowing overrides. See here for details: http://forums.devshed.com/apache-development-15/htaccess-not-being-accessed-8977.html – Ayush Jun 07 '12 at 00:16
  • Sorry for accepting your answer late, it took long to manage to enable overrides, but your answer is the one that helped me, so I accept it : ) Thx for help – Karevan Jun 07 '12 at 09:40
1

All services including web servers run in a security context which is an account in the OS, for example apache starts using apache user in apache group. It is enough to change mode and change owner to this user and group. Never chmod a directory to 777 until there is a good explanation for that. Using this trick, web service process only can read, write and execute in that directory.

As well, if you want the browser clients not to see(read) the contents of that directory, you should deny listing on that directory. I think it is disabled for default.

Kamran Amini
  • 1,062
  • 8
  • 14
  • my directory is: mapuploader so I should just: chown -R apache mapuploader ? :s – Karevan Jun 07 '12 at 00:02
  • I got it now. Yes. You should first chown it to apache user. chown -R apache apache mapuploader/ – Kamran Amini Jun 07 '12 at 00:03
  • Well my question is: which user should I make the owner of that folder? "apache" user does not exist and I used top command to see processes owners, and on apache2 processes there are two owners: root and www-data. I tried with both and with www-data, its always public (like making everyone owner) and with root php cant read it – Karevan Jun 07 '12 at 00:06
  • Read httpd.conf file. The user is specified in it. – Kamran Amini Jun 07 '12 at 00:14
  • httpd.conf file is empty. In same folder of httpd.conf I found a file names "envars", where i found next: export APACHE_RUN_USER=www-data export APACHE_RUN_GROUP=www-data But as I mentioned before, if I use www-data it is like making public owner – Karevan Jun 07 '12 at 00:20
  • Why don't you copy to a folder which is not in your www directory ? When a directory is not within www directory so web service won't serve the clients if there is any request for accessing that directory. You can use for example /usr/test/upload – Kamran Amini Jun 07 '12 at 00:27