derictory permissions and uploading files

Hi.
I'm trying to upload a file with php script. Right now in order for it to work I have to set the upload directory to 777 and tmp directory to 777. I'm trying to find more info about why it has too be this way. Also how can I make it so I don't have to set such broad permissions on those directories. I searched online, but really couldn't find anything that explains what I want to know. Can anyone point me in the right direction?

Thx.

First off do you know what permission settings 777 means? Don't want to be patronizing but want to make sure you get a full answer.

-KM-

Stop your online search... you will only get more confused. Unix systems differ so much that you will only get so far with online sources.

Your best bet is to learn and understand *nix permissions in full.

Here is an overview quickie -

1 - For files and directories (a directory is just a file w/ a different bit mask) - you have an owner (o), a group (g), and ALL Others (a)

2 - The owner is usually the user that created the file - Understand that user does not = person all the time - user can be a program or script or the system itself

3 - The owner can always override any permission set on the file - in other words, if you are the owner of a file and you remove your own permission to the file, you can always fix it

4 - The group is a set of users that can operate on a file. Group members can do as much as the owner allows them to

5 - All others is everyone else not in the first two categories

6 - A file has permission levels: Read (r) - Write (w) - and Execute (x)

7 - Read means one can open, print (less, cat, more)

8 - Write means one can edit, delete, etc

9 - Execute means one can run the file if it is a program or a script - execute permissions on a directory means the directory is browsable (ls, dir, cd).

Read (r) = 4, Write (w) = 2, Execute (x) = 1, thus 7 means rwx permission.

Given the above, 777 means rwxrwxrwx

This is usually not a good idea. In most cases, I have found that if the "ALL OTHERS" (a) section is filled, something is not setup optimally.

What I mean is, if you setup your ownership and group levels correctly, there should be no need to make your file world read/writeable. Only the owner and group members should have access.

For web applications this is more than true -
Lets take as an example a content management system.
You are a web developer and you decide to write a quick and dirty CMS so your client can edit a couple html pages on his/her own.

The files should be secured so that unauthorized users, even users on the same machine should not have access to this user's web files

The user should be able to do the following:

a. Login by FTP and manage files
b. Login by telnet/ssh and manage files
c. Login by CMS and manage files

Lets start with (a) -
You need a user account that has ftp access. Normally this consists of adding a user "testuser", then add this user to the ftp group so he/she can login using an ftp client.

Depending on your server setup, you may or may not have to do something specific to give the user shell access.

Now the hard part. How to allow this user to edit files through the browser?

Well, the first step is to set all the desired files to be edited so that the owner is "testuser"

You also want to find out what user your web server is running as (usually www, apache, nobody).

Lets say it is www.

cd /directory/of/files
chown testuser:www *

Now you need to make it so the owner and group can edit files, while nobody else has any access at all -

chmod 660 *

Now, it is painfully obvious why we have the last 0, but why are we using 6 instead of 7?

Well, lets add it up -
Read (r) = 4, Write (w) = 2, Execute (x) = 1

We only need Read and Write permissions for this task. Nothing more.

I hope this quick guide was comprehensive enough to understand. It is important that you use user/group permissions correctly, otherwise, you defeat the purpose of using *nix over MsWin* in terms of security.