PHP unable to move uploaded files unless if the destination folder permission is 0777

[cynux]

I just installed rhel4 on one of my servers, now I'm not able to use move_uploaded_file() function it ends in a failure, if the uploads folder is set to 0666 file permission.

It works in 0777, but that's not very good as its gives out execute permission to the folder which is a security risk.

I have been using rhel3, but I'm new to rhel4... so if anyone of you can help me... it'll be much appriciated...

 

[jayh38]

Try adjusting "safe_mode" in php.ini

 

[cynux]

Try adjusting "safe_mode" in php.ini

safe_mode is off, i have been using php for ages.. and i have never used it... I dont want to end up messing something up.


Anyway, here is more info about everything:

PHP
------------
Safe Mode: Off
SuExec: Off
I'm using php4_module

Apache
------------
1.37

 

[jayh38]

safe_mode is off, i have been using php for ages.. and i have never used it... I dont want to end up messing something up.


Anyway, here is more info about everything:

PHP
------------
Safe Mode: Off
SuExec: Off
I'm using php4_module

Apache
------------
1.37

How about disabling openbase_dir for a test.

 

[cynux]

already tried that..

 

[NightStorm]

Is your php running under user "nobody", or are you running with phpSuExec? So far as I know, if your php is running as nobody, it can't write to the folder unless it has the permissions necessary to... in this case, 777 (global read write execute), since the folder would be owned by the actual cPanel user, and not "nobody".

 

[cynux]

Is your php running under user "nobody", or are you running with phpSuExec? So far as I know, if your php is running as nobody, it can't write to the folder unless it has the permissions necessary to... in this case, 777 (global read write execute), since the folder would be owned by the actual cPanel user, and not "nobody".

I'm not sure that's true, it has to be 666 (gobal write) which is required, i think.

 

[sparek-3]

You need execute permissions so that you can change into that directory.

Without execute permission, the PHP script cannot change into that directory to create any files. The directory also needs write permissions. If all you are going to be doing is writing to the directory, I suppose you could just use a permission setting of 333. Further, I suppose you could really just change the permission to 003, but I wouldn't recommend it.

Really it comes down to 333 or 666 for that matter, is no more secure than 777. Ultimately, if you are wanting to use a PHP script to write files, you need to be running PHP as CGI and using some type of suexec wrapper to execute the PHP script as your username. This eliminates the need for 777 directories, you can just keep directories at 755 and PHP scripts will be able to upload to that directory.

Hope this helps.