permissions issue with uploading graphics

By: Shailesh Singh | 05 Sep 2008 1:17 pm

Their upload script uploads the picture into the images/ dir and then creates a thumnail of it and puts it in the thumb/ dir. That all works.

Their delete script first deletes the photos and then the student data from the db. Ah... the photos have not been deleted.

Looking at the permisions I see that images/ and thumb/ are both 1600775 www-data owner. The picture in images/ is 600600 but the one in thumbs/ is 600644. That is a problem.

All the thumbs have been deleted but the pictures themselves are not. Now, Ill write some code to change the rw permissions of the pic but what Im after is, why is it that the main pic is rw to the owner and non to the group but on the
thumb its rw for the owner and read-only for the owner. Why can that one be deleted?

Wade

-----------------------------------------------------
The question itself is a little confusing where you say "but on the thumb its rw for the owner and read-only for the owner".

I will offer some explanation that is common but may not be your case.

PHP run's in someone's authority. The authority may be user (www,anybody, nobody, apache) or the authority of the visitors. This is often the case when php runs as an apache application. In the case all files created by PHP will have the default owner "user" (anybody).

PHP can also run with the authority of the account owner. This is often the case when php runs as a CGI. Files created with this authority have the owner who is the owner of the account "owner".

The difference between the pictures and the thumbnails is that thumbnails are created by php and the pictures are not. The pictures are uploaded with the authority of "user" so the owner is "user".

The thumbnails are created by the script so the owner is the authority that the script runs under.

Later versions of php are more frequently run as a CGI. Earlier versions where rarely run as a CGI. It is also rear to have php running as an apache application to have any authority other than "user" or "group".

It may be the case that the script was running perfectly until a php upgrade. Look at the dates of the pictures and that may help pinpoint a time.

Are the images being uploaded via PHP and an HTML form or via FTP?

As you probably know, the basic operation of uploading a file via PHP is to
have a web form with a

and an type='file' ...>. When the user selects a local file and submits the form, the
file is uploaded to a temporary location (often /tmp on Linux) with a random
temporary filename. Your PHP script (named in the action property of the form
tag) uses is_uploaded_ file() to check to see if the file has really been
uploaded and not a POST spoof and that it is of the correct type and size which
is allowed to be uploaded to your application. Then you use
move_uploaded_ file() to copy the temporary file to a directory which the PHP
(ie Apache) user may write to. It is often a good idea to have this directory
be outside the web space and create a special handler script to get the data
when requested by the browser.

Under these conditions, unlink() should work. However, if users are uploading
files via FTP or SCP/SFTP with their own user names, PHP won't be able to touch
them without some additional considerations. I don't know why you would be
seeing different perms for the uploaded files. PHP scripts can do this to
files uploaded via form but it is more likely a problem with FTP-style uploads.

By: | 10 Sep 2008