I have checked out articles and tutorials.
我查看了文章和教程。
I don't know what to do about the security of my picture upload-folder.
我不知道如何处理我的图片upload-folder的安全性。
It is pictures for classifieds which should be uploaded to the folder.
这是应该上传到文件夹的分类广告的图片。
This is what I want:
这就是我要的:
Anybody may upload images to the folder.
The images will be moved to another folder, by another php-code later on (automatic).
Only I may manually remove them, as well as another php file on the server which automatically empties the folder after x-days.
What should I do here?
我该怎么办?
The images are uploaded via a php-upload script. This script checks to see if the extension of the file is actually a valid image-file.
图像通过php-upload脚本上传。此脚本检查文件的扩展名是否实际上是有效的图像文件。
When I try this:
当我尝试这个:
chmod 755 images
the images wont be uploaded.
图片不会上传。
But like this it works:
但是像这样工作:
chmod 777 images
But 777 is a security risk right?
但777是安全隐患吗?
Please give me detailed information...
请给我详细信息......
The Q is, what to do to solve this problem, not info about what permissions there are etc etc...
问题是,如何解决这个问题,不知道有什么权限等等...
Thanks
If you need more info let me know...
如果您需要更多信息,请告诉我们......
4 个解决方案
#1
3
You have to make sure the upload folder is owned by apache or whoever user is as which the http server is started.
您必须确保上载文件夹由apache或启动http服务器的用户所有。
Alternatively you can use 775 owned by the UID who will be collecting the files and with as gid the group id as which the webserver is started.
或者,您可以使用UID拥有的775,它将收集文件,并使用gid作为启动Web服务器的组ID。
There are of course variations on these themes.
这些主题当然有变化。
As long as the webserver user or webserver group has permission to write in the folder, it will be fine for uploading.
只要Web服务器用户或Web服务器组具有写入文件夹的权限,就可以上传。
There are all kind of cornercases, but then we'll need more info about your setup.
有各种各样的角柜,但我们需要更多关于您的设置的信息。
#2
1
0 No Permissions (the user(s) cannot do anything)
0无权限(用户无法执行任何操作)
1 Execute Only (the user(s) can only execute the file)
1仅执行(用户只能执行文件)
2 Write Only (the user(s) can only write to the file)
2只写(用户只能写入文件)
3 Write and Execute Permissions
3写入和执行权限
4 Read Only
4只读
5 Read and Execute Permissions
5读取和执行权限
6 Read and Write Permissions
6读写权限
7 Read, Write and Execute Permissions
7读取,写入和执行权限
First number = OWNER Second number = GROUP Third number = OTHER USERS
第一个数字= OWNER第二个数字= GROUP第三个数字=其他用户
#3
-1
One possibility for why it only works with 777 permissions might be if you are running SELinux. It's possible that it is preventing the write. I would have thought though that it would have prevented it even with the 777 permsissions but I'm no SELinux expert.
为什么它只适用于777权限的一种可能性可能是您正在运行SELinux。它可能会阻止写入。我会想到,即使有777的停留,它也会阻止它,但我不是SELinux专家。
#4
-3
Every newbie mix users up. :)
You just have to distinguish OS user and website user.
The latter one has nothing to do with OS permissions.
每个新手都会混淆用户。 :)你只需要区分操作系统用户和网站用户。后者与操作系统权限无关。
For the OS users you have given 2 of them:
对于OS用户,您已经给出了其中两个:
- FTP user, owner of the files, uploaded via FTP
- webserver user, owner of the files uploaded via browser.
- Site user, who have no direct access to any files at all.
FTP用户,文件所有者,通过FTP上传
webserver用户,通过浏览器上传的文件的所有者。
站点用户,根本无法直接访问任何文件。
So, in case both these users are the same, you have no worry about.
But usually these are different users. So, one has no access to other's files unless directories has 777 and files 755.
That's why you have to set 777 for directories.
As we have learned above that website users has nothing to do with os permissions, you should not worry about security. 777 is ok.
因此,如果这两个用户都相同,您就不用担心了。但通常这些是不同的用户。因此,除非目录有777和文件755,否则无法访问其他文件。这就是为什么必须为目录设置777的原因。正如我们上面已经了解到网站用户与操作系统权限无关,您不必担心安全性。 777还可以。
#1
3
You have to make sure the upload folder is owned by apache or whoever user is as which the http server is started.
您必须确保上载文件夹由apache或启动http服务器的用户所有。
Alternatively you can use 775 owned by the UID who will be collecting the files and with as gid the group id as which the webserver is started.
或者,您可以使用UID拥有的775,它将收集文件,并使用gid作为启动Web服务器的组ID。
There are of course variations on these themes.
这些主题当然有变化。
As long as the webserver user or webserver group has permission to write in the folder, it will be fine for uploading.
只要Web服务器用户或Web服务器组具有写入文件夹的权限,就可以上传。
There are all kind of cornercases, but then we'll need more info about your setup.
有各种各样的角柜,但我们需要更多关于您的设置的信息。
#2
1
0 No Permissions (the user(s) cannot do anything)
0无权限(用户无法执行任何操作)
1 Execute Only (the user(s) can only execute the file)
1仅执行(用户只能执行文件)
2 Write Only (the user(s) can only write to the file)
2只写(用户只能写入文件)
3 Write and Execute Permissions
3写入和执行权限
4 Read Only
4只读
5 Read and Execute Permissions
5读取和执行权限
6 Read and Write Permissions
6读写权限
7 Read, Write and Execute Permissions
7读取,写入和执行权限
First number = OWNER Second number = GROUP Third number = OTHER USERS
第一个数字= OWNER第二个数字= GROUP第三个数字=其他用户
#3
-1
One possibility for why it only works with 777 permissions might be if you are running SELinux. It's possible that it is preventing the write. I would have thought though that it would have prevented it even with the 777 permsissions but I'm no SELinux expert.
为什么它只适用于777权限的一种可能性可能是您正在运行SELinux。它可能会阻止写入。我会想到,即使有777的停留,它也会阻止它,但我不是SELinux专家。
#4
-3
Every newbie mix users up. :)
You just have to distinguish OS user and website user.
The latter one has nothing to do with OS permissions.
每个新手都会混淆用户。 :)你只需要区分操作系统用户和网站用户。后者与操作系统权限无关。
For the OS users you have given 2 of them:
对于OS用户,您已经给出了其中两个:
- FTP user, owner of the files, uploaded via FTP
- webserver user, owner of the files uploaded via browser.
- Site user, who have no direct access to any files at all.
FTP用户,文件所有者,通过FTP上传
webserver用户,通过浏览器上传的文件的所有者。
站点用户,根本无法直接访问任何文件。
So, in case both these users are the same, you have no worry about.
But usually these are different users. So, one has no access to other's files unless directories has 777 and files 755.
That's why you have to set 777 for directories.
As we have learned above that website users has nothing to do with os permissions, you should not worry about security. 777 is ok.
因此,如果这两个用户都相同,您就不用担心了。但通常这些是不同的用户。因此,除非目录有777和文件755,否则无法访问其他文件。这就是为什么必须为目录设置777的原因。正如我们上面已经了解到网站用户与操作系统权限无关,您不必担心安全性。 777还可以。