如何绕过 apache 拥有上传到 PHP 网络服务器的文件?
我正在 Linux Web 服务器上开发 PHP Web 应用程序,用于为我共同教授的课程提供成绩和文档。我现在正在编写的页面用于提交作业,学生从下拉菜单中选择作业,然后上传作业并提交。提交后,有关提交的所有信息都会进入 MySQL 表,并且文件将移动到文件系统上的永久位置。理想情况下,这将是由作业、学生和版本高度组织的东西,但我现在想要的只是原则上让文件上传工作,所以现在它只是将内容发送到目录 ~/phptest/ (其权限)设置为 755,尽管我只是为了测试而尝试了 777,但这也不起作用)。下面是现在的代码:
($dbh 是我创建的扩展数据库句柄类的实例,目的是使这些特定的数据库事务更清晰)
if(isset($_POST['submit'])) {
$assignmentID = $_POST['assID'];
$tmp = "/home/username/phptest/";
$info = pathinfo($_FILES['file']['name']);
$filename = $info['basename'];
$ext = $info['extension'];
if(1) { //strcmpall($ext,array('tar.gz','zip'))) {
if($_FILES['file']['size'] < 1000000) {
$path = $tmp . $filename;
if(move_uploaded_file($_FILES['file']['tmp_name'], $path)) {
$versionQuery = $dbh->select(array('version'),array('a01_submissions'),array("studentID='$studentID'","assignmentID='$assignmentID'"));
if(count($versionQuery)) {
$versionArray = $dbh->colToArray($versionQuery,'version');
$version = max($versionArray)+1;
}
else $version = 1;
echo "Version $version.\n";
$week = $dbh->getOne('week','a01_assignments','id',$assignmentID);
$dbh->insert("a01_submissions",array('studentID','assignmentID','version','filePath'),array($studentID,$assignmentID,$version,addslashes($newpath)));
echo "File $filename sucessfully uploaded and stored at $newpath.\n";
}
else echo $moved . "
\n";
}
else die("File cannot exceed 1MB");
}
else die("Bad file extension.");
}
else {
// HTML to display the submission screen
}
但我的问题是 move_uploaded_file 仅适用于具有 777 权限的目录。仔细检查发现,这是因为 PHP 正在以用户“apache”上传内容,因此无法使用 ow 写入我的用户名拥有的目录。我在 PHP 文档中看到用户发布的解决方案建议使用 chown 回收文件,但我没有足够高的权限级别来执行此操作。有没有一个优雅的解决方案来解决这个问题,而不涉及尝试让我的用户名获得更高的权限?
I am working on a PHP web app on a Linux web server for grades and documents for a course that I am co-teaching. The page I am writing at the moment is for submitting assignments, where the student selects an assignment from a drop-down menu and then uploads the assignment and submits. On submit, all the information about the submission goes into a MySQL table, and the file is moved to a permanent location on the file system. Ideally, this would be something highly organized by assignment, student, and version, but all I want right now is to get the file upload working in principle, so for now it just sends stuff to the directory ~/phptest/ (permissions for which are set to 755, though I have tried 777 just for tests, and that didn't work either). Here is the code as it is now:
($dbh is an instance of an expanded DB handle class I created to make these specific DB transactions cleaner)
if(isset($_POST['submit'])) {
$assignmentID = $_POST['assID'];
$tmp = "/home/username/phptest/";
$info = pathinfo($_FILES['file']['name']);
$filename = $info['basename'];
$ext = $info['extension'];
if(1) { //strcmpall($ext,array('tar.gz','zip'))) {
if($_FILES['file']['size'] < 1000000) {
$path = $tmp . $filename;
if(move_uploaded_file($_FILES['file']['tmp_name'], $path)) {
$versionQuery = $dbh->select(array('version'),array('a01_submissions'),array("studentID='$studentID'","assignmentID='$assignmentID'"));
if(count($versionQuery)) {
$versionArray = $dbh->colToArray($versionQuery,'version');
$version = max($versionArray)+1;
}
else $version = 1;
echo "Version $version.\n";
$week = $dbh->getOne('week','a01_assignments','id',$assignmentID);
$dbh->insert("a01_submissions",array('studentID','assignmentID','version','filePath'),array($studentID,$assignmentID,$version,addslashes($newpath)));
echo "File $filename sucessfully uploaded and stored at $newpath.\n";
}
else echo $moved . "
\n";
}
else die("File cannot exceed 1MB");
}
else die("Bad file extension.");
}
else {
// HTML to display the submission screen
}
My problem, though, is that move_uploaded_file only works for directories with 777 permissions. Closer inspection reveals that this is because PHP is uploading stuff as the user 'apache', and therefore can't write to directories owned by my username with o-w. I saw solutions posted by users in the PHP docs that suggested using chown to reclaim the files, but I don't have a high enough permission level to do this. Is there an elegant solution to this problem that does not involve trying to get my username higher permissions?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
让系统管理员将您置于与 apache 相同的用户组中,或者理想情况下创建一个名为开发人员之类的新组,并将 apache 用户和您自己添加到其中。
否则你可以尝试使用 PHP 的 chmod 或 chown 文件上传后立即运行。如果您运行 chmod($filepath, 0777); ,这应该是一个很好的测试,看看它是否适合您。
Get the sysadmin to put you in the same user group as apache or ideally create a new group called something like developers and add the apache user and yourself to it.
Otherwise you could try using PHP's chmod or chown functions immediately after the file upload. If you run
chmod($filepath, 0777);that should be a good test of whether it will work for you or not.简短的回答:没有一个优雅的解决方案,因为这在概念上是错误的。该文件首先归 Web 服务器用户所有是有原因的。创建该文件的是 Web 服务器(从操作系统的角度来看),因此他应该拥有该文件。
长答案:
您确实希望该文件归其他用户所有的原因是什么?
底线:总有一个解决方案,而且不会破坏意义,更不用说实施安全措施了。
Short answer: There isn't an elegant solution, as this is conceptually wrong. There is a reason why the file is owned by the web server user in the first place. It is the web server which created the file (from the OS point of view), so he should own it.
Long answer:
What are the reasons behind the fact that you do want the file to be owned by an other user?
Bottom line: there is always a solution without undermining the sense, much less the implementation of security measures.