File Owner Changes w File Upload via Browser, LINUX

[blitzen]

Hi,
I am using a browser to upload files. The program I implemented is http://github.com/valums/file-uploader, AJAX -> php program. (This program is used only in a password protected directory.)

The program or something in the transfer changes the owner on the file to "nobody", possibly because it's an https upload?
I am not in that group.

Although the permissions are set to 0777, this messes up when I sftp to overwrite any file because of the ownership.
My sftp will not overwrite the file, rather deletes it (after I tell it is okay to delete), then I can upload the file via sftp.

My host suggested this.
"Unfortunately, not without switching your VPS to run suPHP or mod_ruid. Both of which will then cause a chain reaction of permissions issues we'd have to troubleshoot.

I normally would recommend either of the above options as they provide a bit more security, but your VPS was originally setup before we started using them. Switching now is sadly not a painless exercise. We can usually catch most of the problems but it's quite likely you'll find a few pages/scripts that won't work until we fix the permissions up."

Please advise your thoughts on this.
Which method, suPHP or mod_ruid?
Permission issue? What would those issues be?
Would you think this will be a massive issue of downtime to troubleshoot?

Thank you.

[dgswilson]

I think nobody is the host server. Like (0644) user, nobody, group, or something like that.

I can't help myself so I'll just ask, why do you want to use this particular file upload system?

[speed]

I've always used suPHP on our shared web hosting servers and never had issues or cause to look further.

As for permission issues, well when you run suPHP you end up with PHP running as the account owner therefore you just need to change the ownership of all files to be that of the account owner, depending on the number of accounts it doesn't take very long at all. The only other issue is that if you have PHP scripts which are too permissive then suPHP will not run them, however that does depend on the settings in the suPHP config file, but again removing unwanted write access from PHP files is fairly painless.

Will you have issues, maybe, will they be massive, no they shouldn't be, how long to get it all done will depend on how responsive the host is once you find a site that's not working.

[jhannawin]

This isn't going to help, but 0777, really? To my mind, and to most security audit systems, that is a huge security issue. I would be looking to change your host if they let stuff like that go by. That won't be painless, but they clearly don't have a good grasp on security.

[blitzen]

This makes it faster than juggling a couple programs. I'm already in one app, so why not use an upload there where the names of the uploaded files are also inserted in the correct fields for future use. Saves time and minimizes errors. Why this one? Because it exists. Do you have other recommendations? Of course the permissions won't be set to 0777 for production. Of course, it's under a password-protected directory. Of course my host has a secured server. I've seen numerous other programs, many cost $$, that insist you set 0777 permissions. Go figure. We all know that if you follow every security rule, you can still get hacked.

Speed, thank you for answering my question, Thank you!!!

[speed]

No problem, if you do move to suPHP and get in a mess with the scripts give me a shout.

Also once you move to suPHP remove the 0777 permission from the folders despite what the scripts say you don't need it, you only need it writeable by your account (owner).