PHP move_upload_file needs permission rwx to store file

Question

I am using the following code to upload and move a file to the folder "film_images":

$filepath = '../images/film_images/';
echo '<br />Trying to store file at ' . $filepath;
if (!move_uploaded_file(
    $_FILES['teaserimage']['tmp_name'],
    sprintf($filepath . '%s.%s',
    'test',
    $ext))) {
        throw new RuntimeException('Failed to move uploaded file.');
}

However, as many people here, I always got a

Failed to open stream: Permission Denied

exception in PHP. Then I went to the server and, using the setfacl command I gave permission rw- to the user www-data, which is the user running this PHP script. Using rw- I still got the exception. Only when I switched rights to rwx, i.e. when I gave www-data full control on this folder, it worked. Now I wonder two things:

Why is it necessary to give the user execution rights in order to write a file?
Is there a way to write the file without giving execution rights to the user? I fear that somebody might upload code, hidden in an image file, and execute it on my server.

score 1 · Answer 1 · answered Jun 08 '15 at 10:16

1

You need set default permission on folder if create new files, first chmod it: chmod g+s images/film_images //set permission what you need

second you need set default permissions on create files/folders:

setfacl -R -d -m group:www-data:rwx /path/to/your/dir //set permission what you need

answered Jun 08 '15 at 10:16

Paulius Sapragonas

176
8

I did as you said, now instead of the entry `user:www-data:rwx` I have the entry `default:user:www-data:rw-`. With this setting, again, I get the "Permission Denied" error. Any idea what went wrong? It seems to work only with the entry user:www-data:rwx. – Skrodde Jun 08 '15 at 12:19

score 1 · Answer 2 · edited May 23 '17 at 11:51

Okay, I think I figured it out. Thanks Paulius S. and his answer, which got me on the right track.

The folder ist owned by me. First, following the answer to this post, I use

chmod g+rwxs dirname

to ensure that files created in the directory are owned by the group I belong to. In particular, www-data is not part of this group. Then using

setfacl -m u:www-data:rwx dirname

I give full access to the directory to the user www-data. Now www-data can upload a, but this file automatically belongs to the group set above (which www-data does not belong to) and hence www-data has no execution right, although he can execute in the folder in general.

PHP move_upload_file needs permission rwx to store file

2 Answers2