0

When anyone learning approaches the task of setting permissions on a media upload folder that is destined for public access they might instinctively think that it should be set to 777 or 666 due to all the incorrect tutorials that exist out in the wild.

So, today I decided that I wanted to understand the whole idea of setting correct/secure folder access permissions.

I discovered that on my Ubuntu 20.04 server I needed to assign 700 (or 770 if the owner is a real user) to allow uploads with move_uploaded_file().

Why does www-data need execute access to write the file?

My best assumption is that because move_uploaded_file() is a function of PHP it is essentially executing that function within the destination folder (even though the actual call to that function is in an entirely different folder/file location).

Since I'm never correct in my first assumptions, I decided to ask.

Ethan Aaron Vandal
  • 85
  • 1
  • 9
  • 1
    https://unix.stackexchange.com/questions/21251/execute-vs-read-bit-how-do-directory-permissions-in-linux-work Should help you out. Though the link talks about the rwx permissions, you need to know the numerical versions. 4 is read (r), 2 is write (w), 1 is execute (x), and you'd add them up to get the numbers. 7 is read/write/execute, 6 is read/write, 0 is nothing at all. – aynber Feb 02 '21 at 17:52
  • @barmar, well, actually it has everything to do with PHP and if you even read the post you can clearly see that I mention the PHP function `move_uploaded_file()`. Thanks for playing though! You get a participation award! Note: Comments are used to ask for clarification or to point out problems in the post. Outdated comments may get deleted. [Learn more about comments…](https://stackoverflow.com/help/privileges/comment) – Ethan Aaron Vandal Feb 02 '21 at 20:23
  • for directory I'm always use `sudo find /var/www -type d -exec chmod 2770 {} \;` – Mantykora 7 Feb 03 '21 at 10:42
  • I am surprised that they did not remove this question for you. As I once asked `chmod 770 for directory`, they deleted it and wrote `lern chmod`:):) – Mantykora 7 Feb 03 '21 at 10:45

1 Answers1

0

The reason is that for directories, the execute bit is used for access to files in that directory. The read permission is used for listing the content. Take this example:

johan@eden:~/example$ mkdir test
johan@eden:~/example$ echo 123 > test/example.txt
johan@eden:~/example$ cat test/example.txt 
123
johan@eden:~/example$ chmod a-x test
johan@eden:~/example$ cat test/example.txt 
cat: test/example.txt: Permission denied

Summary

read: Allowed to list the contents of the directory.

write: Allowed to create, modify or delete files in the directory.

execute: Allowed to access a file in the directory if you know the name of the file.

Johan
  • 1,958
  • 11
  • 20
  • This is a good answer. When the PHP engine needs to access the target folder with `move_uploaded_file()` it's permission to execute is checked by the system because technically it's executing the function `move_uploaded_file()` inside that folder. I wonder if you could use nano to write to that folder without execute permissions since it's a system level event as opposed to a third party script event. – Ethan Aaron Vandal Feb 02 '21 at 20:32
  • @EthanAaronVandal Not sure if that is correct, in my understanding, any access to example.txt is blocked, even system level events (from a user missing the execute bit on the folder). – Johan Feb 03 '21 at 10:27
  • So then you always need execute to create or modify? Because those two actions would constitute access, right? – Ethan Aaron Vandal Feb 04 '21 at 12:45
  • That's right. You can just test it in a terminal if you don't agree.. :) – Johan Feb 05 '21 at 10:03