RE: [PHP] Does this seem odd? File Upload Permissions
The default file permission for new files on the *nix system may be set to something like 755... that could be the problem... -Original Message- From: David McInnis [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 26, 2002 11:03 PM To: [EMAIL PROTECTED] Subject: [PHP] Does this seem odd? File Upload Permissions Why does PHP set the execute bit on an uploaded file? This means a user could upload a script and it would be executable. Ouch! Especially if the file is available via httpd after upload. . . HELP. I am saving to a directory with permissions of 766 And when php copies the file it assigns the following permissions. rwxr-xr-x I am using the copy command to move the file from the tmp directory. David McInnis -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Does this seem odd? File Upload Permissions
First, the execute bit means nothing over HTTP. So they couldn't just execute it remotely. They would need an account on the box. And second, PHP does not set the x bit, you are doing that. Check your default umask or set it explicitly with a call to umask() before copying the file into place. On Tue, 26 Mar 2002, David McInnis wrote: Why does PHP set the execute bit on an uploaded file? This means a user could upload a script and it would be executable. Ouch! Especially if the file is available via httpd after upload. . . HELP. I am saving to a directory with permissions of 766 And when php copies the file it assigns the following permissions. rwxr-xr-x I am using the copy command to move the file from the tmp directory. David McInnis -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Does this seem odd? File Upload Permissions
That's not entirely true... if php is running as cgi it would need the execution bit set. Or if someone wanted to write a shell script in php to be used to help compromise a server it would need to be executable as well... -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 26, 2002 11:08 PM To: David McInnis Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Does this seem odd? File Upload Permissions First, the execute bit means nothing over HTTP. So they couldn't just execute it remotely. They would need an account on the box. And second, PHP does not set the x bit, you are doing that. Check your default umask or set it explicitly with a call to umask() before copying the file into place. On Tue, 26 Mar 2002, David McInnis wrote: Why does PHP set the execute bit on an uploaded file? This means a user could upload a script and it would be executable. Ouch! Especially if the file is available via httpd after upload. . . HELP. I am saving to a directory with permissions of 766 And when php copies the file it assigns the following permissions. rwxr-xr-x I am using the copy command to move the file from the tmp directory. David McInnis -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Does this seem odd? File Upload Permissions
But it would mean that you would have to severly misconfigure your server and write severely braindead code. Simply putting a file in your document_root that has the x bit set will under normal circumstances not do anything. On Tue, 26 Mar 2002, Demitrious S. Kelly wrote: That's not entirely true... if php is running as cgi it would need the execution bit set. Or if someone wanted to write a shell script in php to be used to help compromise a server it would need to be executable as well... -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 26, 2002 11:08 PM To: David McInnis Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Does this seem odd? File Upload Permissions First, the execute bit means nothing over HTTP. So they couldn't just execute it remotely. They would need an account on the box. And second, PHP does not set the x bit, you are doing that. Check your default umask or set it explicitly with a call to umask() before copying the file into place. On Tue, 26 Mar 2002, David McInnis wrote: Why does PHP set the execute bit on an uploaded file? This means a user could upload a script and it would be executable. Ouch! Especially if the file is available via httpd after upload. . . HELP. I am saving to a directory with permissions of 766 And when php copies the file it assigns the following permissions. rwxr-xr-x I am using the copy command to move the file from the tmp directory. David McInnis -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Does this seem odd? File Upload Permissions
Either severely mis-configure, or make a mistake (damn us humans and our mistakes :) -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 26, 2002 11:15 PM To: Demitrious S. Kelly Cc: 'David McInnis'; [EMAIL PROTECTED] Subject: RE: [PHP] Does this seem odd? File Upload Permissions But it would mean that you would have to severly misconfigure your server and write severely braindead code. Simply putting a file in your document_root that has the x bit set will under normal circumstances not do anything. On Tue, 26 Mar 2002, Demitrious S. Kelly wrote: That's not entirely true... if php is running as cgi it would need the execution bit set. Or if someone wanted to write a shell script in php to be used to help compromise a server it would need to be executable as well... -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 26, 2002 11:08 PM To: David McInnis Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Does this seem odd? File Upload Permissions First, the execute bit means nothing over HTTP. So they couldn't just execute it remotely. They would need an account on the box. And second, PHP does not set the x bit, you are doing that. Check your default umask or set it explicitly with a call to umask() before copying the file into place. On Tue, 26 Mar 2002, David McInnis wrote: Why does PHP set the execute bit on an uploaded file? This means a user could upload a script and it would be executable. Ouch! Especially if the file is available via httpd after upload. . . HELP. I am saving to a directory with permissions of 766 And when php copies the file it assigns the following permissions. rwxr-xr-x I am using the copy command to move the file from the tmp directory. David McInnis -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Does this seem odd? File Upload Permissions
OK. But I am not changing the permissions. How am I setting the x bit? I am not doing anything in my code except executing a copy() or move_uploaded_file(). Is my server not configured correctly? If so, how do I change the default permissions? By the way, move_uploaded_file() sets completely different permissions [-rw---]than copy() [rwxr-xr-x]. I still say . . . strange. David -Original Message- From: Demitrious S. Kelly [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 26, 2002 11:24 PM To: 'Rasmus Lerdorf' Cc: 'David McInnis'; [EMAIL PROTECTED] Subject: RE: [PHP] Does this seem odd? File Upload Permissions Either severely mis-configure, or make a mistake (damn us humans and our mistakes :) -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 26, 2002 11:15 PM To: Demitrious S. Kelly Cc: 'David McInnis'; [EMAIL PROTECTED] Subject: RE: [PHP] Does this seem odd? File Upload Permissions But it would mean that you would have to severly misconfigure your server and write severely braindead code. Simply putting a file in your document_root that has the x bit set will under normal circumstances not do anything. On Tue, 26 Mar 2002, Demitrious S. Kelly wrote: That's not entirely true... if php is running as cgi it would need the execution bit set. Or if someone wanted to write a shell script in php to be used to help compromise a server it would need to be executable as well... -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 26, 2002 11:08 PM To: David McInnis Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Does this seem odd? File Upload Permissions First, the execute bit means nothing over HTTP. So they couldn't just execute it remotely. They would need an account on the box. And second, PHP does not set the x bit, you are doing that. Check your default umask or set it explicitly with a call to umask() before copying the file into place. On Tue, 26 Mar 2002, David McInnis wrote: Why does PHP set the execute bit on an uploaded file? This means a user could upload a script and it would be executable. Ouch! Especially if the file is available via httpd after upload. . . HELP. I am saving to a directory with permissions of 766 And when php copies the file it assigns the following permissions. rwxr-xr-x I am using the copy command to move the file from the tmp directory. David McInnis -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Does this seem odd? File Upload Permissions
On Wednesday 27 March 2002 15:33, David McInnis wrote: OK. But I am not changing the permissions. How am I setting the x bit? I am not doing anything in my code except executing a copy() or move_uploaded_file(). Is my server not configured correctly? If so, how do I change the default permissions? By the way, move_uploaded_file() sets completely different permissions [-rw---]than copy() [rwxr-xr-x]. I still say . . . strange. Have a look at the umask() function. If that doesn't solve your problem you can always explicitly set the permissions after moving/copying using chmod(). -- Jason Wong - Gremlins Associates - www.gremlins.com.hk /* If you lived today as if it were your last, you'd buy up a box of rockets and fire them all off, wouldn't you? -- Garrison Keillor */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
