-2

Following this SO answer, the user under which Apache runs should not be allowed to write to any files. Which is very OK from a security perspective, however how can a PHP web application that allows file uploads can work with such a setup?

A virtualization tool, like linux-vserver, or OpenVZ (as suggested here) would be one alternative, however I'm not sure about the performance hit, as my linux box is already running inside a virtual machine.

Another approach that crossed my mind would be to use a process that runs under a user with write privileges on the uploads folder, and have my PHP scripts communicate with it via IPC.

I'd incline towards the second solution, however before I start developing that app and hit my head against the wall a few times before I make it work right and without crashes, I'd like to know if there are simpler solutions to this.

Community
  • 1
  • 1
Cristik
  • 30,989
  • 25
  • 91
  • 127

1 Answers1

1

Give the user or group the php code is executed by write access to a single uploads folder, and disable php execution for that directory.

If you're using mod_php, it will be the Apache user.

If you're using php-fpm it may default to the Apache user but it can certainly be changed (even per-pool, if you have multiple pools for different apps/sites)

Stephen
  • 18,597
  • 4
  • 32
  • 33