I have developed a download/upload manager script.
When I upload a file via POST method it is stored in a folder called files, the files folder is within another folder called download-manager.
Now it seems when I upload via the POST method 0666 CHMOD works when I want to rename, delete the file but the download-manager folder and the files folder need to be 0777 CHMOD for this to work. Now can someone tell me if this is dangerous?
1) I got a deny all in .htaccess so nobody can access the files directory via a browser
2) the upload script is protected by a username and password which the person who uses the script will obviously change, so only admins can basically upload, rename, edit, delete files and the records in the MySQL database.
When a file is uploaded a record is added to the database with information like file type, file name, file size etc and then the unique id (auto incremented by MySQL) is appended to the process.php file which gets the file from the directory and mime type etc that is not revealed, the process.php basically does the checks to see if record and files exists and if so forces the download of that file.
Basically the download URL is like: wwww.mydomain.com/process.php?file=57, a check is done to obviously make sure that id exists in the database and that a file exists with the file name stored in the database with that id.
Now all this works fine when uploading the file via a form using POST method but I also added a manual upload so for people who want to upload a file that is larger than the size their webhost allows they can simply upload the file via a FTP program for example and then just add the filename and file details manually themselves via a form in the admin area to link the record with the file. The problem is then a permission issue because if the file is uploaded via FTP or whatever way they upload the file by the php script cannot rename, delete the file if needed in the future as the php script does not have the correct privileges. So from what I gather, the only option is then telling the persons who use the script to change the file chmod to 0777 for it to work, i think that will make it work?
But then I have the problem of 0777 also being executable. The script allows any file type upload as it's a download/upload manager script but at the same time I am slightly confused with all this permissions lark and what I should actually be doing. As php is limited by the max upload size set by a host I want to add manual upload so users can upload the file by another method and assign the file to the database record but then as stated I get a problem when wanting to rename, delete the file via the php script.
I have developed the script to detect such problems and notify the user etc but I would like to try and make this script do all the leg work or nearly all of it without having to state in the manual that the admin will have to chmod the file to 0777 when they want the script to rename, delete the file, although I don't know if just chmodding the file to 0777 will actually allow the php script to the rename, delete it and so forth but also security is then a concern.
UPDATED
Ok thanks so chown the file before chmodding it on upload?
Do i just use chown() around the file and nothing else and that will make it owned by the server process and make it private? as i see you got
chown apache:apache '/path/to/files' ;
Do I need to add the apache:apache bit?
I did think of this as simpler solution, if a admin does a manual upload tell them they will have to rename/delete the file manually if needed in the future because the script won't have the correct permissions to do so, this would then make this a easy solution, as the manualupload script can just rename the db record to keep it linked to the file. That way no worries of file permission issues.
Simply put user changes file manually via ftp for example from myfile.zip to somefile.zip then they edit the db record for that file and change the filename to somefile.zip from the old filename myfile.zip, that way everything is linked still but no worries about permission issues. As I also have been reading that chown() does not always work or cannot be relied on for whatever reason.
1) i got a deny all in .htaccess so nobody can access the files directory via a browser
Store your files in a separate folder, away from the directory structure that houses your PHP files.
As far as the permissions on the directory are concerned, there are three ways to go about setting up the permissions on the folder:
Make it world-writable (chmod 0777 '/path/to/files/')
This is not recommended, as it has major security implications especially on a non-dedicated server; anyone who has an account or can tell a process on the server to write/delete to that folder will be able to change its contents.
Make it temporary (chmod 1777 '/path/to/files/')
This also carries a security concern, but less so than option 1 for the following reason: users cannot modify the directory--only the files they own.
Make it owned by the server process and make it private (chown apache:apache '/path/to/files' ; chmod 0700 '/path/to/files')
This is arguably the best solution.
Just relax & enjoy.
On many shared hostings it's the only possible solution anyway.
There is another option - to ask a user for ftp pass and use ftp for copying files from tmp, like wordpress does. But I think it's even less secure.
Related
I have installed GraphDB Free v9.3 in LinuxMint 19.3.
The workbench is running fine though I haven't created any repositories yet. This is because I have noticed that although the application is installed at /opt/graphdb-free, the data, conf and log files are in a hidden folder below my home folder: /home/ianpiper/.graphdb/conf (etc).
I would prefer to store these folders on a separate volume, mounted at /mnt/bigdata. In the documentation it suggests that I can set graphdb.home using the graphdb.properties file (though I don't seem to have such a file in my installation) or in the startup script. I think this script might be /opt/graphdb-free/app/bin/setvars.in.sh, and that I could use this to change
-Dgraphdb.home=""
to
-Dgraphdb.home="/mnt/bigdata"
Could a knowledgeable person advise as to whether my understanding is correct, and if so what the best way is to change the location of graphdb.home?
Thanks,
Ian.
I have an index.html file in my Apache DocumentRoot directory but when I go to my URL, I am still getting a directory listing of my DocumentRoot directory instead of the index.html file being displayed. The apache access_log shows 200's when I reload the page. Any suggestions?
Use
DirectoryIndex index.html
It tells apache what document to show for a directory request.
update
You should specify just the filename that apache will look for in the folder requested.
Not saying this will fix it for you, but for me when first getting started with Apache2 it was file permissions that would get forgotten when moving or writing new file under the web root directory
ls -hal /var/www/host_one/index.html
If above doesn't have read (r) permissions for the same user:group or if the ownership doesn't include the user/group of the web server, then try the following for allowing group reads
# Modify ownership, change 'www_host' to Apache2 group
chown ${USER}:www_host /var/www/host_one/index.html
# give read+write (6) to user and read (4) to group owners
chmod 640 /var/www/host_one/index.html
Try refreshing the website and see if permissions where the issue. Note most web documents only require read permissions and ownership to be correct for browsers to be allowed to pick them up for rendering, on rare occasions you may need executable (1 or x) permissions for server scripts (be cautious of ownership in such cases) and last write permissions (2 or w) should likely never be seen without good reasons on files within your web root.
Second thing to try, use the index.html within your browsers URL bar
# by IP
http://192.168.0.100/index.html
# by domain
http://site-name.local/index.html
If the above loaded your document then, like #Pekka 웃 stated already, you've likely got a server option that's missing or enabling directory listings instead of looking for a index page within that directory. If this is the problem then there's two ways of fixing it that I've tried in the past. One, htaccess configuration to disable directory listing within that sub-directory, two, server vhost configuration to prevent whole site from directory listings. Personally I prefer to use option two and then on directories that should be allowed to be listed place an htaccess config for permissions instead of denials.
I've been following the Fortrabbit's guide to install phpMyAdmin.
I've managed to put the folder in my htdocs, but from what I read I must actually upload it into the app root below htdocs. Problem is the app root has write protection and I can't seem to change permissions via SFTP.
Any solutions?
Edit
Solved. I had my Root Path under settings set to htdocs/public, so I couldn't hit the phpMyAdmin folder. Setting the Root Path back to htdocs/ enabled me to access it like normal.
Where did you read it must go to the app root? I don't see that in the tutorial, but admit I may have missed it. Also, I'm not clear what you mean by "app root".
Note that in this case, there are three different 'root' folders, be careful not to get confused.
The file system root, /. All the files on your server live here. Depending how fortrabbit configures their system, you may not even have access to this.
The web folder root. Files in this folder and below are available online through your webserver.
The SFTP root. This also depends on how fortrabbit configures their server, it could be your web root, the file system root, or your home directory. You may be able to change to other folders, or maybe not.
Normally, htdocs is the root or base folder where your webserver is looking for files to serve. It isn't clear from my browsing the fortrabbit site if they do anything odd with their configuration, so this is a close approximation for what most servers look like. For the sake of illustration, we'll pretend that htdocs is in /var but it can be anywhere on disk.
So the file system might look a bit like:
/
/bin/
/etc/
/home/MichaelHanslo/
/home/MichaelHanslo/budget_presentation.odf
/var/
/var/htdocs/
/var/htdocs/index.html
/var/htdocs/pma/
/var/htdocs/calendar/
/var/htdocs/calendar/modify.php
/var/logs/
So in that scenario, going to http://example.com/ loads the file /var/htdocs/index.html, going to http://example.com/calendar/modify.php loads /var/htdocs/calendar/modify.php. So in most cases, you want to create a folder under htdocs for phpMyAdmin; you can call it anything you want (in my example above, I used 'pma'). Anyway, if you don't have permission to create the folder under your web root, then you should definitely ask your host for help, because something isn't right.
Hope that helps clear it up for you.
I am creating a script on the fly to ftp some files from a remote computer. I create a file which is then called from the command line with
ftp -s:filename proxy
where filename is the file I just created. The file has code similar to the following:
anonymous#ip address
username
prompt off
binary
cd c:\destination directory
mget c:\source directory\*.*
quit
That doesn't work. Neither does the following:
anonymous#ip address
username
prompt off
binary
cd c:\source directory
mput c:\destination directory
quit
Obviously, I'm not so good at ftp. How, in what order, where in my file do I specify the place where I want the files to be put (destination directory, and also from where the ftp process is running), and where I want the files to come from (ip address computer which has files I want). Do I need to set the directory before starting the ftp process?
I'm running this in an SSIS package, and I'm not using the SSIS ftp task, because I don't want a failure if no files are found. If there's nothing there, that's cool. If there is something there, I want a copy.
(It was working in my development area, and now, when I'm trying to get files from a server that I truely have no access to except ftp, I'm not getting anything. See How to avoid SSIS FTP task from failing when there are no files to download? for an earlier, related question.)
Update:
Both of the answers below, listing lcd and cd, are correct. However, my example still failed, until I replaced the backslashes with forward slashes. In other words, my final, working result is as follows:
anonymous#ip address
username
prompt off
binary
lcd /destination directory
cd /source directory
mget *.*
quit
Are you looking for LCD and CD where LCD changes directory on the local machine? EG:
LCD c:\destination directory
mget c:\source directory\*.*
In most ftp clients you can set the working directory on the server with the command cd, and you set the working directory on the client with the command lcd.
But it is not clear to me what you are trying to do.
Are you trying to move or copy files that are on the ftp server to another location on the ftp server? As far as I know you cannot do that with ftp. If you wished to copy files from one folder on the ftp server to another, then I believe you would get a copy to the local system, and then reupload them to a new folder. If you wish to move files you can use the rename command.
I have the need to copy the entire contents of a directory on a FTP location onto a shared networked location. FTP Task has you specify the exact file name (not a directory) and File System Task does not allow accessing a FTP location.
EDIT: I ended up writing a script task.
Nothing like reviving a really old thread... but there is a solution to this.
To copy the all files from a directory then specify your remote path to be /[directory name]/*
Or for just files and not directories /[directory name]/.
Or specific file types; /[directory name]/*.csv
I've had some similar issues with the FTP task before. In my case, the file names changed based on the date and some other criteria. I ended up using a Script Task to perform the FTP operation.
It looks like this is what you ended up doing as well. I'd be curious if anyone else can come up with a better way to use the FTP task. It's nice to have...but VERY limited.
When I need to do this sort of thing I use a batch file to call FTP on the command line and use the mget command. Then I call the batch from the DTS/DTSX package.