Php permissions

design

#1

I have php files that are owned by a “mysiteadmin” user account. When users browse to my site and access these php files, it doesn’t seem like they execute as the mysiteadmin user. Basically, I have a php page that loads a jpg. I want to chmod the jpg to 600 so that only the mysiteadmin user can view it, i.e. I don’t want someone browse to the jpg directly. But it seems like the jpg needs to be 644 or else the php page can’t load it. So my question is - what permissions does the php file have when it loads and how can I enforce the logic I want? My php page uses a php script to password protect it, but I don’t want users to circumvent that by browsing directly to resources that are included in the password protected php page.


#2

sounds like your php script outputs html which points to the jpg file. so while the script actually does run as mysiteadmin, the script isn’t accessing the jpg file – the browser is, and it’s going to do that as dhapache.

you can’t prevent people from going directly to the image file because you can’t reliably tell if they’re doing that or if they’re requesting the image because they just loaded a page which displays the image.

if you have a php login system and you only want registered users to be able to access the image, you can move the image file outside your document root and write a php script which checks if there’s a user logged in and then passes through the image with the appropriate headers. if there’s no user logged in you could fail with a 404 or 403 or even pass through a different image.

track7 - my dream-hosted site