1

I'm working on a page where a user can upload an image/video using a form. The code includes this line:

move_uploaded_file($tempfile, $newfile)

Then a thumbnail is automatically created from this image/video and uploaded to the server like this:

file_put_contents($thumbname, $thumbnail)

Now the uploading of the image works perfectly but the thumbnail can't be saved and I get this response:

Warning: file_put_contents(thumbnails/1.jpg): failed to open stream: Permission denied in SITEURL/upload.php on line 17

My two questions:

  1. Why does the user have permission uploading an image via move_uplaoded_file but uploading the thumbnail via file_put_contents gets denied? Please note that both files, image AND thumbnail, get uploaded to the same folder. Shouldn't the user have either permission to do both or neither?

  2. I do realize there is already a thread like this but the suggested answer there is to run chmod 777. But I read that setting a folder to 777 is always a security risk. Is there a way to fix this problem without 777?
    Again, I don't understand why I have to change the permission to 777 for file_put_contents whereas move_uploaded_file works just fine at 755.

user3041398
  • 81
  • 2
  • 8
  • `chmod -R u+rwx,g-rw,o-x thumbnails/` gives read, write, and execute rights to the owner, but denies execute access for group and others. `chmod` is powerful enough to [manage rights more carefully](http://www.washington.edu/computing/unix/permissions.html). More carefully than 777, that's for sure – Elias Van Ootegem Jul 22 '14 at 10:53
  • @EliasVanOotegem Isn't that just longhand for `chmod -R 766`? – Niet the Dark Absol Jul 22 '14 at 11:55
  • @NiettheDarkAbsol: Yes, it is, but I find the `u+rwx` and `g-wx` notation a lot clearer: _U_ser, _G_roup, _O_ther, _A_ll, `+` for grant, `-` for deny and _R_ead, _W_rite, e_X_ecute... (of course, you know this, but this explanation is directed at the OP ;-P) – Elias Van Ootegem Jul 22 '14 at 11:58
  • @EliasVanOotegem Fair enough - maybe I'm just more of a "numbers" person because I find `766` much easier to understand XD – Niet the Dark Absol Jul 22 '14 at 12:01
  • 1
    @NiettheDarkAbsol: To each his own, as long as we all agree that `chmod -R 777` is best avoided, it's all good – Elias Van Ootegem Jul 22 '14 at 12:08
  • 1
    @EliasVanOotegem Agreed. `chmod -R 777` is about as "problem-solving" as `eval`... – Niet the Dark Absol Jul 22 '14 at 12:09

1 Answers1

3

Use:

// PHP code:
echo `whoami`;

to find out what user PHP is being run as.

Then check on your server who owns thumbnails

# log in via SSH and run:
ls -l | grep thumbnails

This should show you a line like this (taken from my own server):

drwxr-xr-x 8 niet niet 4096 Jul 15 12:12 thumbnails

In the above example, the folder is owned by the user niet and is in the group niet. If it is not the same as whoami from ealier, you will need to change the owner of the folder. For instance if whoami gave user3041398, you would do:

chown user3041398 thumbnails

Run the ls line again and you should see your username in the output now, and PHP should be able to write to the folder.

Niet the Dark Absol
  • 320,036
  • 81
  • 464
  • 592