Results 1 to 9 of 9
Thread: Must an upload folder be in 777?
-
11-19-2006, 01:00 PM #1Web Hosting Master
- Join Date
- Mar 2003
- Posts
- 663
Must an upload folder be in 777?
Is it really a must or just 755 works? Also what is the proper way to disable cgi script from executing in these uploading folder? I have already a htaccess file that disable executing of php scripts.
AddType text/plain .php
Thanks.
-
11-19-2006, 01:40 PM #2Aspiring Evangelist
- Join Date
- Mar 2006
- Posts
- 421
776 (read, write, execute for owner and group, read and write but not exe for public)
766 (read, write, execute for owner, read and write but not exe for group & public)
666 (read and write for all, no execution whatsover)
I would suggest 666 if you dont have any scripts in the folder and only need to to dump and get stuff, this way no matter what user is accessing the folder, it cannot execute a potentional harmful uploaded script/program
-
11-19-2006, 01:50 PM #3Web Hosting Master
- Join Date
- Mar 2003
- Posts
- 663
My upload folder is for user to upload images. Will they be able to view the image then? To view image = 77(7)?
-
11-19-2006, 02:04 PM #4Aspiring Evangelist
- Join Date
- Mar 2006
- Posts
- 421
you only need "read" permissions to view a file i suggest 666
-
11-19-2006, 02:12 PM #5WHT Addict
- Join Date
- Nov 2005
- Location
- Canada
- Posts
- 132
Unfortunetly Alot of scripts still require a few folders to be 777. You can test this by changing it to 755 or something and if it stops working try something else until it works again.
-
11-19-2006, 02:16 PM #6Web Hosting Master
- Join Date
- Mar 2003
- Posts
- 663
Not sure if this case applies correctly. I've a cache folder. Basically this cache folder is for my script to write static files for cache and on every request of the script, it will first look for a cache for this section and if found (PHP using is_file(filename)), it will read the file and output to the public.
Having this logic, I CHMOD to 666 because since is just plainly for read and write by my application. But apparently its not the case. I received permission denied on the is_file() function.
Any ideas on this?
-
11-19-2006, 03:17 PM #7Aspiring Evangelist
- Join Date
- Mar 2006
- Posts
- 421
try is_readable($file) instead...
messa: (s)he only has static content in the folder tho, no scripts etc, so it wouldnt need to be executable in any way?
-
11-19-2006, 03:38 PM #8Web Hosting Master
- Join Date
- Mar 2003
- Posts
- 663
Ok, didn't try is_readable but regarding the AddType text/plain .php, what is the equivalent way for cgi or any other harmful scripts? Should be very useful for many user here since many application nowadays support uploads from their own members.
-
11-19-2006, 03:42 PM #9Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
If you are not using phpsuexec yes it will need to be 777
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance