I am trying to write a file upload script in PHP but am having trouble with permissions, and I think I need to do something with Apache to fix this (I hope this is the right place to post, please tell me if not!). I do not want to have to set the permissions on the folder to 777 for security reasons, but the owner of my upload directory does not match the 'user' that is the PHP script (in my limited understanding). From the advice I've got so far, I need to change the owner of the upload directory so that it thinks the PHP script is coming from it's owner and authorized to write to the folder. From what I know, which is not a lot on this topic, I need to access the server directly to do this, probably using some sort of SSH, shell, something like that. I can look up the code to put in the server, but am not sure how to actually transmit this into the server. I do have the *ability* to access the server, (it is a virtual dedicated server which I own and use exclusively), but not the *knowledge* of how to do this. I have only ever needed to do the most basic server management through Plesk, and I'm not sure if there is a simple way to do this through the Plesk interface but I couldn't see one. I know next to nothing about server administration and everything I can find to read seems to skip over the very basics. Can anyone walk me through this? I want to learn. Or if I am way off base with what I need to do can you point me in the right direction? Thanks so much.
Setting a directory to open permissions (777) and changing the ownership of the directory to the Apache user really creates the same problem. In either case, another VirtualHost hosted on that server would still have write permissions to the directory. If your account is the only account being hosted on the server, then it really doesn't hurt to have open directories. If your account is the only hosting account on the server, then the only account that can get hacked into is your account. At that point it doesn't really matter who is writing files to your account. The underlying problem is still an insecurity of your account. For example, if you used suPHP on your server. PHP scripts would run as your account's username. So any directory that is owned by your username, PHP would be able to write files in that directory. If your account has an insecure script or other insecurity on it, then malicious users would be able to use that vulnerability to write files into any of your directories. Open directories are really only a concern in a shared hosting environment or in an environment where there are multiple users on a server. If your account is the only account on the server, then the least secure account on the server is just your account. Some might argue that in that situation having a select few open directories is better than running suPHP where every directory would be PHP writable. There is some merit to that conclusion. But that only works if your account is the only account on the server.
I understand a bit better now. I have Virtual Private Server and am the only one using it, so I think the security issues are the same as a dedicated server, as far as I've read. I am going to set my upload folders to 777, make sure I check in my upload script to only allow images, docs and pdfs, and I will put in an .htaccess file blocking php files from being run in that directory or CGI scripts. Does that seem reasonably secure?
If your account is the only account on the server, then you should be fine. Best thing you can do is to insure that your scripts are always kept up-to-date. Then you have less of a worry about someone taking advantage of your account.