Centos – How to give PHP permissions to write to files without globally opening up permissions to the directory

centosconfigurationpermissionsPHP

I'm running Centos 5.5. I need to create / write some files with a PHP script. The script only works if I have the permissions of the directory in which the files are to be created / written set to writable for everyone, ie:

chmod a+w my_directory

The script is working fine, but having my directory writable like that is obviously BAD.

My question is, is there a way to allow selected programs (such as PHP) permission to write and create files while keeping everyone else out?

Many thanks

Best Answer

Make the files/directories PHP needs to write to owned/writable by the user or group that PHP is running as (usually your web server's user/group).

Note that while this configuration is more secure than world-writable files it is only as secure as your code and your webserver configuration. Plan accordingly.

Related Solutions

PHP session files have permissions of 000 – They’re unusable

The /tmp folder is a default placeholder for session files. Better use your own custom session folder

If Your host has allowed .htaccess overrides permission, you can place the following directive in your .htaccess under public_html or httpdocs folder

php_value session.save_path '/yourpath/sessionfolder'

If you are NOT running php in suphp mode, Make sure the folder is writable by others (777)

Linux – How to Set Up Permissions for the WWW Folder

After more research it seems like another (possibly better way) to answer this would be to setup the www folder like so.

sudo usermod -a -G developer user1 (add each user to developer group)
sudo chgrp -R developer /var/www/site.com/ so that developers can work in there
sudo chmod -R 2774 /var/www/site.com/ so that only developers can create/edit files (other/world can read)
sudo chgrp -R www-data /var/www/site.com/uploads so that www-data (apache/nginx) can create uploads.

Since git runs as whatever user is calling it, then as long as the user is in the "developer" group they should be able to create folders, edit PHP files, and manage the git repository.

Note: In step (3): '2' in 2774 means to 'set Group ID' for the directory. This causes new files and sub directories created within it to inherit the group ID of the parent directory (instead of the primary group of the user) Reference: http://en.wikipedia.org/wiki/Setuid#setuid_and_setgid_on_directories

Best Answer

Related Solutions

PHP session files have permissions of 000 – They’re unusable

Linux – How to Set Up Permissions for the WWW Folder

Related Topic