Results 1 to 9 of 9
  1. #1
    Join Date
    Mar 2003
    Posts
    663

    Must an upload folder be in 777?

    Is it really a must or just 755 works? Also what is the proper way to disable cgi script from executing in these uploading folder? I have already a htaccess file that disable executing of php scripts.

    AddType text/plain .php

    Thanks.

  2. #2
    Join Date
    Mar 2006
    Posts
    418
    776 (read, write, execute for owner and group, read and write but not exe for public)

    766 (read, write, execute for owner, read and write but not exe for group & public)

    666 (read and write for all, no execution whatsover)

    I would suggest 666 if you dont have any scripts in the folder and only need to to dump and get stuff, this way no matter what user is accessing the folder, it cannot execute a potentional harmful uploaded script/program

  3. #3
    Join Date
    Mar 2003
    Posts
    663
    My upload folder is for user to upload images. Will they be able to view the image then? To view image = 77(7)?

  4. #4
    Join Date
    Mar 2006
    Posts
    418
    you only need "read" permissions to view a file i suggest 666

  5. #5
    Join Date
    Nov 2005
    Location
    Canada
    Posts
    130
    Unfortunetly Alot of scripts still require a few folders to be 777. You can test this by changing it to 755 or something and if it stops working try something else until it works again.

  6. #6
    Join Date
    Mar 2003
    Posts
    663
    Not sure if this case applies correctly. I've a cache folder. Basically this cache folder is for my script to write static files for cache and on every request of the script, it will first look for a cache for this section and if found (PHP using is_file(filename)), it will read the file and output to the public.

    Having this logic, I CHMOD to 666 because since is just plainly for read and write by my application. But apparently its not the case. I received permission denied on the is_file() function.

    Any ideas on this?

  7. #7
    Join Date
    Mar 2006
    Posts
    418
    try is_readable($file) instead...

    messa: (s)he only has static content in the folder tho, no scripts etc, so it wouldnt need to be executable in any way?

  8. #8
    Join Date
    Mar 2003
    Posts
    663
    Ok, didn't try is_readable but regarding the AddType text/plain .php, what is the equivalent way for cgi or any other harmful scripts? Should be very useful for many user here since many application nowadays support uploads from their own members.

  9. #9
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    If you are not using phpsuexec yes it will need to be 777
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •