Results 1 to 9 of 9
  1. #1

    Rights Apache2 webserver and ftp

    Hi, i have a question regarding my own webserver. I run Debian Sarga with Apache2, PHP4, MySQL and ProFTPd. When i use ftp to upload things to my webserver, the files get the owner 'kensentme' and the group 'www-data', this is the group Apache2 runs in. When i install a cms like Limbo, which runs on a textfile based database, the PHP-scripts create files. Those files have the owner and group www-data (that of Apache2).

    The problem comes when i try to delete the files from my webserver using ftp. Because the rights to those files are restricted to the owner, i can't delete them using ftp (logging in as kensentme). It can only be done by logging in as root on the server and then delete them with the command line.

    I know Apache2 has the mpm-perchild, but according to the apache-developers it's not safe to use it.

    How do professional hosters solve this problem (or deal with it) and are there safe and secure alternatives?

  2. #2
    When php uploads file it will have permission of nobody right?

  3. #3
    I now tried to upload a file using Joomla (cms). It has the following rights:

    -rw-r--r-- 1 www-data www-data

    So when i would try to delete it using ftp with user kensentme it will not be possible, because only the owner has the write rights.

  4. #4
    Nobody has a clue on how it's done in professional environments?

  5. #5
    Since PHP script is running as www-data, another user can't delete files uploaded by user. To solve the problem, you make to make another PHP script to manage uploads, i think Joomla have this feature (i have seen in mambo forum). Other solution is to chmod the file to 777 after uploading. To do this, you need to modify the upload script.

  6. #6
    Ok, but there's no standard solution from the server's side so you don't have to solve the problem everytime this occurs?

  7. #7
    Server side solution will be running the script as the user using phpsuexe. This is available in cpanel servers.

  8. #8
    Join Date
    Dec 2004
    Location
    New York City, NY, USA
    Posts
    735
    suexec/PHP as a CGI's performance does not hold a candle to Apache's mod_php. If your site gets any reasonable amount of traffic, don't use it.

    To the OP: if you're using a content management system, there should be some mechanism to delete files that it has created. Besides that, you can install a web-file manager running through a PHP script: it will be the correct user and you can delete files to your liking. You won't be able to use FTP.

  9. #9
    Join Date
    Sep 2005
    Location
    Stafford UK
    Posts
    142
    As you can see there is no ideal solution. It is a common problem, apache and php run as one user, so when they create files they are created as that user - different to the FTP user.
    It will be a pay off between security and usability. One option we implemented on an old system was to have a chown script in the control panel for each user. so they could simply login and click chown, and it would basically chown selected files back to their ftp user.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •