 | View Full Version : Securing an upload directory? Syphic 06-20-2004, 11:21 AM What is the best way to secure an upload directory? I cant chmod it and it has to be done by php? Right now my upload dir is 777 and that means its wide open... Any suggestions Syphic nexcess.net 06-20-2004, 02:06 PM If you're on a shared box it'll never be 100% 'secure'. I'd ask your host to make it 770 and chgrp it to the webserver user. That's better than wide open but still allows snooping via scripts run by the webserver. Chris mouldy_punk 06-20-2004, 02:14 PM I would try 666, I think the best way to do it is try different CHMOD's and see what works, with the least permissions..if that made sense. nexcess.net 06-20-2004, 02:21 PM 666 still leaves read/write for anyone 'on', so even 660 would be better (chgrp'd to the webserver user). This assumes the scripts you need to work are 'ok' with 66x perms. Some may not be. Chris Syphic 06-20-2004, 07:57 PM what about htaccess? Could you give each person thier own folder and htaccess it to thier user account so that only they can view it? I am willing to take other possible ways after thinking about my first post... nexcess.net 06-20-2004, 08:11 PM It depends on what you mean by 'secure'. Are you trying to secure it from snoopers on the same system (or vulnerabilities in a given software suite)? If so your noticing that 777 was insecure was good, and restricting the perms will help. If you're worried about people just typing in absolute URLs to your upload_dir and grabbing files direct then this is a different problem, and most easily solved by moving the upload_dir outside of your web space (if your software will allow this, most do). An .htaccess file will help if you can't do the above as well. Chris Syphic 06-21-2004, 12:04 PM Thank you very much didnt think about putting the upload file outside of the public_html folder... Syphic |