--- alternate_dph <[EMAIL PROTECTED]> wrote: > > You must be very brave to run Apache as root. Personally, it's the > last thing I'd ever do since there are other methods to give the > webserver (and therefore PHP) write access to the directory. > > And those other methods would be?
One has already been mentioned. If you don't have root access, you can change the permissions of the upload directory to 777 (d rwx rwx rwx) which gives read, write, and execute (search) permissions to each of the owner (probably you), the group to which you belong, and every other user on the system. Since the Apache web server often runs as the user "apache" or "nobody" or something similar, the third category is the important one here. The command to use is chmod 777 /path/to/directory If you don't have SSH command-line access, many FTP and SCP/SFTP clients will allow you to create a directory and set its permissions. I don't like this technique because it means that any user on the system can write or delete files in this directory. On a shared hosting environment, this can be very risky. If you have root access or can be nice to your system administrator, you can change the ownership or group association for the directory. In addition to running as a particular user, Apache also runs as a particular group (ie "apache" or "nogroup"). I would set the ownership to your directory and the group to this webserver group: chown youruser:apache /path/to/directory You can only change the group to a user other than your group if you are the root user. However, this method still has a problem that any PHP script on the server can write data to this directory. Other techniques require more cleverness on the part of the system admins. For example, there are PHP settings (open_basedir) which can restrict a PHP script it to accessing files which are in a certain branch of the filesystem. Another setting (safe_mode) says a PHP script can only access files and directories which are owned by the same userid as the script itself. Always remember that any time you allow file uploads, you must carefully audit what is being sent up. If you are expecting images, don't let people upload anything else. Use is_uploaded_file() to ensure that the data you are processing is really an uploaded file. Before you use move_uploaded_file(), check the mimetype and the expected size and filename with values in the $_FILES superglobal. I would place the directory *outside* the web space defined for Apache. You can use a PHP script to access the file from this directory as a handler for images, etc. Returning to my original comment, running the webserver as root just so you can write to a directory is asking for trouble. Imagine, any PHP script is now running as root -- can overwrite or delete any file.... That'd keep me up at night! James Community email addresses: Post message: [email protected] Subscribe: [EMAIL PROTECTED] Unsubscribe: [EMAIL PROTECTED] List owner: [EMAIL PROTECTED] Shortcut URL to this page: http://groups.yahoo.com/group/php-list Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/php-list/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
