Hey everyone<br /><br />I have just about finished building this custom script I wrote...<br /><br /><br />Problem is I have 3 folders I need to allow people to upload to and delete from... but if i have CHMOD any lower than 755 it doesn't seem to allow this.<br /><br />Would 755 be secure enough? I only allow uploads in the form of .zip/.rar/.mp3/.gif/.jpg/.jpeg via checks in PHP... but the last thing I want to do is allow my site to be compromised and get shut down for security reasons<!--content-->
755 seems to work fine at the moment for me.. I can upload and delete<!--content-->
^ ignore that, after more testing it requires 777<br /><br /><br />but 777 screams DANGER!!<!--content-->
<!--quoteo(post=221994:date=Mar 15 2008, 07:55 AM:name=OJB)--><div class='quotetop'>QUOTE (OJB @ Mar 15 2008, 07:55 AM) <a href="http://www.totalchoicehosting.com/forums/index.php?act=findpost&pid=221994"><img src='http://www.totalchoicehosting.com/forums/style_images/1/post_snapback.gif' alt='*' border='0' /></a></div><div class='quotemain'><!--quotec-->but 777 screams DANGER!!<!--QuoteEnd--></div><!--QuoteEEnd--><br /><br />Yes it does. That's why uploading should be done with FTP and valid user/password combinations.<!--content-->
Unfortunately FTP is not really an option for my site.... <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/sad.gif" style="vertical-align:middle" emoid="" border="0" alt="sad.gif" /><br /><br /><br />I have people registering, paying for the service, uploading some files, being able to delete the files (from the DB and server)... I can't really register FTP accounts for everyone, and also, I need to allow certain people access to certain other peoples files (to download)....<br /><br />It's all quite complex... and I can't really think of a better way of doing it, but 777 <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/sad.gif" style="vertical-align:middle" emoid="" border="0" alt="sad.gif" /> *sigh*<!--content-->
There is no way around the 777 permissions using a script to upload since the script is running as user "nobody" the default user for the web server. <br /><br />If you were working with only one folder you could ask the help desk to change the ownership of the folder to user "nobody" and then be able to set it to 755 but still, anything would be able to be put into that folder and run from that folder.<!--content-->
<!--quoteo--><div class='quotetop'>QUOTE<!--content-->
You can also use .htaccess to prevent anything being run from the folder. Just make sure you only give read access ( not write ) on the .htaccess file <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/wink.gif" style="vertical-align:middle" emoid="" border="0" alt="wink.gif" /> <br /><!--content-->
755 seems to work fine at the moment for me.. I can upload and delete<!--content-->
^ ignore that, after more testing it requires 777<br /><br /><br />but 777 screams DANGER!!<!--content-->
<!--quoteo(post=221994:date=Mar 15 2008, 07:55 AM:name=OJB)--><div class='quotetop'>QUOTE (OJB @ Mar 15 2008, 07:55 AM) <a href="http://www.totalchoicehosting.com/forums/index.php?act=findpost&pid=221994"><img src='http://www.totalchoicehosting.com/forums/style_images/1/post_snapback.gif' alt='*' border='0' /></a></div><div class='quotemain'><!--quotec-->but 777 screams DANGER!!<!--QuoteEnd--></div><!--QuoteEEnd--><br /><br />Yes it does. That's why uploading should be done with FTP and valid user/password combinations.<!--content-->
Unfortunately FTP is not really an option for my site.... <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/sad.gif" style="vertical-align:middle" emoid="" border="0" alt="sad.gif" /><br /><br /><br />I have people registering, paying for the service, uploading some files, being able to delete the files (from the DB and server)... I can't really register FTP accounts for everyone, and also, I need to allow certain people access to certain other peoples files (to download)....<br /><br />It's all quite complex... and I can't really think of a better way of doing it, but 777 <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/sad.gif" style="vertical-align:middle" emoid="" border="0" alt="sad.gif" /> *sigh*<!--content-->
There is no way around the 777 permissions using a script to upload since the script is running as user "nobody" the default user for the web server. <br /><br />If you were working with only one folder you could ask the help desk to change the ownership of the folder to user "nobody" and then be able to set it to 755 but still, anything would be able to be put into that folder and run from that folder.<!--content-->
<!--quoteo--><div class='quotetop'>QUOTE<!--content-->
You can also use .htaccess to prevent anything being run from the folder. Just make sure you only give read access ( not write ) on the .htaccess file <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/wink.gif" style="vertical-align:middle" emoid="" border="0" alt="wink.gif" /> <br /><!--content-->