After many years of utilizing chmod 777 to resolve PHP write permission worries, I wish to know the right way of fixing the issue.

I've got a website on my small server possessed by user1 in group user1. There's a folder within this website known as uploads.

Normally to obtain writing with PHP to operate, I must chmod this folder to 777. However I clearly recognise this really is harmful and incorrect, and I wish to setup the permissions correctly to minimise risk.

From the limited understanding, I see two options,

  1. I chown the uploads folder to ensure that it's possessed by apache. By doing this, I'm able to only use the default permissions and apache can happily email the folder.
  2. I give a second group to apache of user1. Then i give write permission towards the owner and group on uploads, that ought to allow apache to create to uploads?

My real question is, what's the ultimate way? Could it be among the above or something like that different?

When the best answer is #1, just how can user1 also email uploads over SFTP as that solution won't allow them to?

During my current company, we set the apache group towards the group that is the owner of the folder, so you need to simply do chmod 770 around the folder to provide permissions compared to that group to complete funny stuff on that folder.

Nevertheless, you still to keep in mind to safeguard the application from malicious user, because the PHP script being run, if sufficiently insecure, can continue to do harm to the folder.

Whether it's your personal server, the easiest way would be to set the folder towards the group apache uses, e.g. with chgrp www-data on debian (may be different on others). You typically need to do this as root or at best like a user who can access their own and www-data group. In case your user can access www-data group, this can be a awesome feature for you personally since it's very easy then to see and perhaps write/slowly move the files. Within this situation, use 770 because the file permission and be sure that files produced by php understand this permission (either clearly after creating with chmod or with umask before creation. See php manual for.)

If you're focusing on a hosting that is shared atmosphere, the only real clean solution I understand is mod_suexec, but I'm not sure many hosters which allow it. If this isn't available I understand only how you can say for certain, dealing with 777. Frequently, your house directory in shared conditions possess a longer random string within the path title to ensure that others shouldn't find your directory and for that reason can't access your files. But this isn't real security.. -)

Best of luck Michel