Submit Your Article Forum Rules

Results 1 to 6 of 6

Thread: File Owner Changes w File Upload via Browser, LINUX

  1. #1
    Senior Member blitzen's Avatar
    Join Date
    Apr 2006
    Location
    Boulder, CO USA
    Posts
    371

    File Owner Changes w File Upload via Browser, LINUX

    Hi,
    I am using a browser to upload files. The program I implemented is http://github.com/valums/file-uploader, AJAX -> php program. (This program is used only in a password protected directory.)

    The program or something in the transfer changes the owner on the file to "nobody", possibly because it's an https upload?
    I am not in that group.

    Although the permissions are set to 0777, this messes up when I sftp to overwrite any file because of the ownership.
    My sftp will not overwrite the file, rather deletes it (after I tell it is okay to delete), then I can upload the file via sftp.

    My host suggested this.
    "Unfortunately, not without switching your VPS to run suPHP or mod_ruid. Both of which will then cause a chain reaction of permissions issues we'd have to troubleshoot.

    I normally would recommend either of the above options as they provide a bit more security, but your VPS was originally setup before we started using them. Switching now is sadly not a painless exercise. We can usually catch most of the problems but it's quite likely you'll find a few pages/scripts that won't work until we fix the permissions up."

    Please advise your thoughts on this.
    Which method, suPHP or mod_ruid?
    Permission issue? What would those issues be?
    Would you think this will be a massive issue of downtime to troubleshoot?

    Thank you.
    Hidden Content
    Over 20 years programming, design & Internet/Arpanet experience.
    Hidden Content

  2. The following user agrees with blitzen:
  3. #2
    Senior Member dgswilson's Avatar
    Join Date
    Jul 2009
    Location
    Texas
    Posts
    284
    I think nobody is the host server. Like (0644) user, nobody, group, or something like that.

    I can't help myself so I'll just ask, why do you want to use this particular file upload system?
    In search of the self determined path

  4. The following user agrees with dgswilson:
  5. #3
    WebProWorld MVP
    Join Date
    Aug 2003
    Posts
    1,020
    I've always used suPHP on our shared web hosting servers and never had issues or cause to look further.

    As for permission issues, well when you run suPHP you end up with PHP running as the account owner therefore you just need to change the ownership of all files to be that of the account owner, depending on the number of accounts it doesn't take very long at all. The only other issue is that if you have PHP scripts which are too permissive then suPHP will not run them, however that does depend on the settings in the suPHP config file, but again removing unwanted write access from PHP files is fairly painless.

    Will you have issues, maybe, will they be massive, no they shouldn't be, how long to get it all done will depend on how responsive the host is once you find a site that's not working.

  6. The following user agrees with speed:
  7. #4
    Senior Member jhannawin's Avatar
    Join Date
    Jun 2010
    Location
    UK
    Posts
    181
    This isn't going to help, but 0777, really? To my mind, and to most security audit systems, that is a huge security issue. I would be looking to change your host if they let stuff like that go by. That won't be painless, but they clearly don't have a good grasp on security.
    ---------------------------------------------------------------------
    Hidden Content (tm) - A Hidden Content for Hidden Content and marketing agencies

  8. The following user agrees with jhannawin:
  9. #5
    Senior Member blitzen's Avatar
    Join Date
    Apr 2006
    Location
    Boulder, CO USA
    Posts
    371
    This makes it faster than juggling a couple programs. I'm already in one app, so why not use an upload there where the names of the uploaded files are also inserted in the correct fields for future use. Saves time and minimizes errors. Why this one? Because it exists. Do you have other recommendations? Of course the permissions won't be set to 0777 for production. Of course, it's under a password-protected directory. Of course my host has a secured server. I've seen numerous other programs, many cost $$, that insist you set 0777 permissions. Go figure. We all know that if you follow every security rule, you can still get hacked.

    Speed, thank you for answering my question, Thank you!!!
    Hidden Content
    Over 20 years programming, design & Internet/Arpanet experience.
    Hidden Content

  10. The following user agrees with blitzen:
  11. #6
    WebProWorld MVP
    Join Date
    Aug 2003
    Posts
    1,020
    No problem, if you do move to suPHP and get in a mess with the scripts give me a shout.

    Also once you move to suPHP remove the 0777 permission from the folders despite what the scripts say you don't need it, you only need it writeable by your account (owner).

  12. The following user agrees with speed:

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •