Permission denied when moving file with move_upload_file on Linux server

Asked

Viewed 4,325 times

11

I’m trying to use the move_upload_file to move a file sent by the user to its final destination:

$pasta = '../../public_html/admin/helpdesk/ticket/uploads/';

if (!empty($_FILES['img']['name'])) {
    foreach ($_FILES["img"]["error"] as $key => $error) {
        $nome = $_FILES["img"]["name"][$key];
        $tmp_name = $_FILES["img"]["tmp_name"][$key];
        $cod = date('dmyhis') . '-' . $_FILES["img"]["name"][$key];
        $uploadfile = $pasta . basename($cod);
        if (move_uploaded_file($tmp_name, $uploadfile)) {
            return true;
        }
    }

However, the following error is occurring:

failed to open stream: Permission denied

Is there a way around this problem? I am passing the relative path of the directory, but I have tried to pass the absolute path and it also did not work.

  • What is the permission of this folder for the specific user?

2 answers

21


Linux server permissions issues

In the PHP world, there are several ways to "run" a website, in general most of them are using a web server known as Apache or Nginx, when manipulating files, sometimes there are permissions problems that are not very clear, I’m going to try to demystify some of them and show what that entails in security.

Server type

It is common to see the use of shared hosting for PHP systems/systems, we should pay attention because this type of hosting is usually very vulnerable if the user does not take the necessary precautions. There are also VPS/Dedicated where a Linux facility runs alone, thus giving the system/site greater security.

1) Basic concept of permissions:

In linux, there is a system of file and folder permissions designed to deliver a safe environment shared by more than one user, roughly, in numerical representation mode, there are 3 bits which indicate by whom the file can be accessed, see an example:

765 arquivo1.txt
644 arquivo2.txt

the first digit, shows us which permission of the owner, the second, which permission of the group and the third, which the general permission (other users).

In the first example, we have:

7 -> Dono tem permissão 7 (ler, gravar e executar)
6 -> Grupo tem permissão 6 (ler, gravar) porem não pode executar como o dono
5 -> Outros usuários tem permissão 5 (ler e executar) porem não podem alterar o conteúdo.

This was a superficial explanation and can contain errors, better understand by reading that link.

2) Running a web server on Linux

The web server does not run as root that is, has no global permissions on the system, in a default installation, there is a dedicated user, usually called www-data and a dedicated group with the same name.

When a page is requested, it is this user who reads, interprets and runs any command the script requests.

If the folder/files of the site / system belong to the user www-data then 700 permission is sufficient to read, record and execute, since the owner has full access (7) and the other users have no access to any.

If the user owner of the project folder/files is not the same as the user on which the web server runs, we have to add permission in the second and third "bit"

say there is a user called foo, and the same belongs to the group www-data, a foo, with www-data group

then we would have to give 770 permission, so that all members of the group have full access to the system/files.

Why does 777 work, after all?

Giving chmod 777 you expose your files to any user of system, then on a shared hosting, any other user will be able to read your files, modify the content and still make a 'include' via script.

Conclusions

  • If you use shared hosting, 777 is a mistake you can never comment on.
  • If you use a dedicated / VPS server, you should set your files and folders to be owned by the same user on which the web server runs, in debian / Ubuntu this user is www-data, but the same can be customized / vary in other distributions

To change the owner of a folder and all files / internal folders (recursively):

chown -R usuario:group my_pasture_www

In the standard case,

chown -R www-data:www-data minha_pasta_www


In short, 777 never!

4

I went to check the directory and saw that it was with permission 775, I switched to 777 and while trying to save the file again occurred all ok.

  • I’ll answer that question with why I don’t use 777

  • 2

    You could not change the user instead of changing the permission?

Browser other questions tagged

You are not signed in. Login or sign up in order to post.