Upload files to the folder outside root folder in Linux server?

Question

In my project, I have to upload some video files to a folder which lies outside the root folder. I am using simple php function move_uploaded_file to upload the file. I have tried with the code below.

$source  = $_FILES['Filedata']['tmp_name'];
$targetFile = '/usr/local/WowzaMediaServer-3.1.1/content/video.mp4'
move_uploaded_file($source,$targetFile);

But it is not working. Can we done it through move_uploaded_file. if not, suggest a better option to do this.

I have seen some similar question but nothing helps. So any help would be appreciated..

make sure the user running the webserver (sometimes www-data) has write permissions to the mp4 file. — Pavel, May 15 '12 at 12:49
you must give write permission to other in that temp folder. — Rohit Choudhary, May 15 '12 at 12:49
http://stackoverflow.com/search?q=%5Bphp%5D+move_uploaded_file — Ozair Kafray, May 15 '12 at 12:55
@RohitKumarChoudhary : the folder is having the write permission. — Bibin Velayudhan, May 15 '12 at 12:55
you dont have permission to write file to other change it to 777 — Rohit Choudhary, May 15 '12 at 13:27

score 3 · Answer 1 · answered May 20 '12 at 20:35

Are you sure you're not in a chroot jail?

If so, your "absolute" path name could be pointing to the wrong place-- somewhere that doesn't exist.

If so, change the path to point to somewhere within the jail.

It may be necessary to mount --bind the directory you want this to go in into some location within the jail. (Note that a symbolic link will not work for getting out of jail.)

score 2 · Answer 2 · answered May 19 '12 at 18:00

I'm going to assume you're using Apache for the purposes of this answer.

First off, is the file being uploaded ok? One possible reason you might have trouble is that the tmp directory isn't writable by the webserver, or readable come to that. Assuming that's ok then move_uploaded_file should work fine.

Create a folder next to your DOCUMENT_ROOT, let's call it "filestore". Make sure it's writable by www-data or whichever user runs apache. Now, you should be able to move the files into that folder. Note they will be owned by www-data:www-data typically - or whatever user and group your server is set up to run as. The reason I put the "filestore" folder next to the DOCUMENT_ROOT folder is that you can be sure the webserver can read the file path up to DOCUMENT_ROOT. Otherwise you run the risk of a folder part way up the path not being readable, and that'll stop you dead. e.g. if you have /usr/local/media as your target folder and /usr/local isn't readable (and executable) by the webserver, you're toast.

If all this works and you absolutely must have you media elsewhere, you can have the "filestore" folder anywhere so long as the whole path to it is read/executable by the webserver. Check each directory in the path.

If these uploaded files are being downloaded by other users via the web then the "filestore" folder only needs to have permissions of 700 since it's always going to be the web server's user which reads them. If other users need access, typically because other software running as a different user needs to use them then you might need permissions to be 750 to allow group members to read (and execute) the directory. You'll also need to add that other user to the www-data group.

For downloads you will need to write a simple script which dumps the file to the browser after doing some authentication checks. That way, you avoid having the media accessible just via http without having any authentication done first - which could make your service into an attractive place for illegal files (copyright violations being the least concern here).

score 2 · Accepted Answer · answered May 23 '12 at 13:02

More than likely this is a simple permissions issue and quite easy to solve.

Find the user that apache uses. To do this open up your httpd.conf file and look for something like:

User apache
Group apache
Change the ownership of the folder that you're trying to upload to.

chown -R apache.apache /usr/local/WowzaMediaServer-3.1.1/content/
Change the permissions of the folder

chmod -R 775 /usr/local/WowzaMediaServer-3.1.1/content/

And that should be that.

score 1 · Answer 4 · edited May 23 '17 at 11:44

1

This is a dangerous approach as it gives root privileges to the apache user, so use with caution.

Add the apache user to the list of sudoers - which will let you execute commands as root in php via system('sudo the_command'). Then move the uploaded file to a temporary location that the apache user can write do (eg. create a 'tmp' directory in the doc root). Then use system("sudo mv \"$source\" \"$destination\""); to move the temporary file to it's final location.

You can find the apache user by executing <?php echo exec('whoami'); ?>. Then add the following entry to sudoers the-apache-user ALL=(ALL) NOPASSWD: ALL. Use visudo to add the sudoer entry.

Example:

$source  = $_FILES['Filedata']['tmp_name'];
$targetFile = '/usr/local/WowzaMediaServer-3.1.1/content/video.mp4'

$tempLocation = 'tmp/temp-file.mp4';

move_uploaded_file($source, $tempLocation);

system('sudo mv "' . $tempLocation . '" "' . $targetFile . '"');

Edit: Related question - How to run PHP exec() as root?

edited May 23 '17 at 11:44

Community

1
1

answered May 17 '12 at 16:17

John Himmelman

21,504
22
65
80

5

Wow, a sane sysadmin would never give apache process root privileges! I think it's better and simpler to just make the __/usr/local/WowzaMediaServer-3.1.1/content/__ directory writable by the apache user. – Ponytech May 18 '12 at 09:17
2

This is complete overkill for what looks like a simple permissions problem, and it opens up the server to all sorts of nasty potential attacks. Don't do this! Ever. If for some bizarre reason you ever did need the webserver to execute something as root the correct way to do use the sticky-bit on a binary which does the one small function which must happen as root. That way you can open a small constrained hole in your security rather than blowing it away - and even that I wouldn't recommend on the whole. – Peter Bagnall May 19 '12 at 18:04
With all due respect this is a crazy, stupid, and potentially very dangerous suggestion. – Rob Forrest May 23 '12 at 12:55

score 1 · Answer 5 · answered May 20 '12 at 07:39

1

Always you face a problem with your code, look at the server log or easier turn on errors display. That said, your problem could be related to upload_tmp_dir setting. Check what a phpinfo() tells about that or look at your php.inifile.

answered May 20 '12 at 07:39

inigomedina

1,791
14
21

score 0 · Answer 6 · answered May 19 '12 at 02:42

0

A better solution would be to write the file somewhere where you can write (i.e. under the webroot) and then create a symlink from the media directory to be to where you wrote it.

For example:

Web Root is /var/www/html
You want it at /usr/local/WowzaMediaServer-3.1.1/content/
Create directory /var/www/html/mediaserver/content/
Make permissions on /var/www/html/mediaserver/content/ 777 (so apache can write to it)
Copy files from /usr/local/WowzaMediaServer-3.1.1/content/ to /var/www/html/mediaserver/content/
Delete /usr/local/WowzaMediaServer-3.1.1/content/ (just the "content" directory)
Create symlink from /usr/local/WowzaMediaServer-3.1.1/content/ to /var/www/html/mediaserver/content/

Then you have permissions to read/write, and the media server should too. Only issue would be if the media server is trained not to read symlinks - but you can find that out quickly enough.

answered May 19 '12 at 02:42

Robbie

17,605
4
35
72

I disagree. Uploads should never go into the web root. The problem being that people can then potentially use your server to share all sorts of nasty things without your knowledge. Better to do what you're trying to do, upload to an area outside the web root, and then if you need to offer those files to other people have a script echo the file (after doing the required authentication checks). – Peter Bagnall May 19 '12 at 17:34
Also you should avoid setting permissions on any web directory to 777. You should always restrict permissions as tightly as possible to get the job done - 777 is lazy, and can mean files are accessible to people who shouldn't have access. – Peter Bagnall May 19 '12 at 17:34
Only if you're otherwise sloppy. But then, if you're not careful enough, anyone can do anything to your server. Program right, and you're absolutely fine. – Robbie May 19 '12 at 23:02
1

Ah, the old saying, "in theory, theory and practice are the same, in practice, they're different!". There's a general principle in security called "Defence in Depth" which basically means you should have multiple layer of security because no single layer is perfect to they support each other. No one intends to make programming errors which lead to security problems but they happen all the time. Best to assume they will and act accordingly. – Peter Bagnall May 19 '12 at 23:10
Yep - i'm not disagreeing AT All with what you say I forgot to add that the reason for suggesting that location was I assumed he couldn't write to where he wanted was because of a base dir reduction. Hence I said in the Web root (which is usually permitted). Sorry, should have made that clearer! – Robbie May 20 '12 at 00:44

Upload files to the folder outside root folder in Linux server?

6 Answers6

Linked