PHP

 
 
PHP (= Hypertext Preprocessor) is an HTML-embedded server-side scripting language.

PHP is distributed at no charge for commercial or non-commercial use. For more information read the LICENSE information.

More information about PHP can be found at: http://www.php.net

PHP manuals can be found at:
http://www.php.net/manual/en/
http://devzone.zend.com/manual/

The latest PHP version can be downloaded from: http://www.php.net/downloads.php

rss feed






Change a directory UID=apache and GID=apache with DirectAdmin



Information
DirectAdmin is a graphical web based web hosting control panel designed to make administration of websites easier.

Operating system used
Linux

Software prerequisites
PHP 4
Apache 2


Procedure
DirectAdmin does not allow you change the UID and GID manually and it is also not possible to change it with FTP. If you FTP files to an Apache webserver on an UNIX environment, the files and directories have the following UIDs, GIDs and permissions:
  • The created directories have UID=web, GID=web and permission=755.
    In this example "web" is used but it can be something else.

  • The uploaded files have UID=web and GID=web and permission is set to 644.
    In this example "web" is used but it can be something else.
Why do you want to change a directory UID=apache and GID=apache?
If you create a php script and use function move_uploaded_file() to allow your visitors to upload files to a particular directory, e.g. <docroot>/tmpfiles/upload, the "upload" directory must have the following UID, GID and permission: UID=apache, GID=apache and permission=755.
If a visitor uploads a file, e.g. <docroot>/tmpfiles/upload/myfile.txt, it will get the following UID, GID and permission: UID=apache, GID=apache and permission=644.

The problem is that you can not manually set the UID and GID of directory <docroot>/tmpfiles/upload to UID=apache, GID=apache. Developers sometimes creates the "upload" directory with the following UID, GID and permission: UID=web, GID=web and permission=777. By setting the "upload" directory to permission=777 the move_uploaded_file() function will work, however this is VERY INSECURE.

Files and directories should never have permission 777, especially on a shared host. If a directory permission=777, it allows others to place files in this directory, they just need an account on the same server. Therefore files should always have permission=644 and directories should always have permission=755.

There is a trick to change the UID and GID of directory <docroot>/tmpfiles/upload to UID=apache, GID=apache and permission=755:
  1. Create file change.php, with the following content:

    <?php
       $dir = $_SERVER["DOCUMENT_ROOT"]."/tmpfiles/upload";
       mkdir($dir, 0755);
    ?>


  2. Upload the script to the webserver: <docroot>/change.php

  3. Delete directory: <docroot>/tmpfiles/upload

  4. Change the permission of directory <docroot>/tmpfiles from 755 to 777 (VERY INSECURE)

  5. Execute the script: http://www.mobilefish.com/change.php

  6. Directory <docroot>/tmpfiles/upload is created with UID=apache, GID=apache and permission=755.

  7. Change the permission of directory <docroot>/tmpfiles from 777 to 755 (SECURE)

  8. Check if directories "tmpfiles" and "upload" does not contain any improper files. It is possible that during step 4, hackers were able to place files on these directories. If this is the case, remove these files.

    Note:
    When you have shared hosting, a web tool (e.g. DirectAdmin) is usually provided to administer your files and directories. With this tool you can delete these files.

  9. Function move_uploaded_file() should now work.