From:	Waynn Lue	Date:	Fri Jul  3 00:59:12 2009
Subject:	Re: cannot figure out permissions for fopen/fwrite

The tmp folder isn't accessible from the web though, right? Someone
would first have to get access to your server for that.

On 7/1/09, Mari Masuda <mbmasuda@stanford.edu> wrote:
>
> On Jul 1, 2009, at 12:54, Shawn McKenzie wrote:
>
>> Mari Masuda wrote:
>>> On Jul 1, 2009, at 12:20, Shawn McKenzie wrote:
>>>
>>>> Shawn McKenzie wrote:
>>>>> Mari Masuda wrote:
>>>>>> Hello,
>>>>>>
>>>>>> This is probably a dumb newbie question. I am running PHP
>>>>>> 5.2.5 and
>>>>>> Apache 2.2.8 on my Mac Book Pro OS X 10.4.11. I compiled PHP and
>>>>>> Apache
>>>>>> from source a while ago (as opposed to using the built-in web
>>>>>> server
>>>>>> that is included w/ Mac OS X). I have written the below PHP whose
>>>>>> purpose is to read an existing comma separated (CSV) file and
>>>>>> save the
>>>>>> data into a text file that I can later copy and paste from into my
>>>>>> website content management system. The problem is that on my
>>>>>> Mac, I
>>>>>> cannot seem to figure out what permissions I need to set in
>>>>>> order to
>>>>>> make the input CSV and the initially non-existant output text file
>>>>>> readable and writable by Apache/PHP. I have Googled and come
>>>>>> across
>>>>>> many pages about different ways to set permissions and different
>>>>>> permissions to set but none of the ways suggested that I tried
>>>>>> seemed to
>>>>>> work for me. As a temporary solution, I uploaded my PHP file to a
>>>>>> Windows 2003 server running Apache and PHP and it worked
>>>>>> flawlessly
>>>>>> (and
>>>>>> makes me suspicious that there is some huge security hole with the
>>>>>> Windows box since it was able to execute with no permissions
>>>>>> modifications). Any tips would be greatly appreciated. Thanks!
>>>>>>
>>>>>> Mari
>>>>>>
>>>>>> --- start my code ---
>>>>>> <?php
>>>>>>
>>>>>> $in = fopen("/Applications/apache/htdocs/wp-php/wp.csv", "r");
>>>>>> $out =
>>>>>> fopen("/Applications/apache/htdocs/wp-php/tableToCutAndPaste.txt",
>>>>>> "w");
>>>>>> $counter = 0;
>>>>>>
>>>>>>
>>>>>> fwrite($out, "<table>\n");
>>>>>>
>>>>>> while(($data = fgetcsv($in)) !== FALSE) {
>>>>>> $paperNumber = $data[0];
>>>>>> $authors = $data[1];
>>>>>> $title = $data[2];
>>>>>> $filename = $paperNumber . ".pdf";
>>>>>>
>>>>>> if(($counter % 2) == 0) {
>>>>>> fwrite($out, "<tr>\n");
>>>>>> } else {
>>>>>> fwrite($out, "<tr style=\"background: #cccccc;\">\n");
>>>>>> }
>>>>>>
>>>>>> fwrite($out, "<td><a
>>>>>> href=\"http://www.example.com/workingpapers/getWorkingPaper.php?
>>>>>> filename=$filename\">$paperNumber</a></td>\n");
>>>>>>
>>>>>>
>>>>>> fwrite($out, "<td>$authors</td>\n");
>>>>>> fwrite($out, "<td>$title</td>\n");
>>>>>> fwrite($out, "</tr>\n");
>>>>>>
>>>>>> $counter++;
>>>>>> }
>>>>>>
>>>>>> fwrite($out, "</table>\n");
>>>>>>
>>>>>>
>>>>>> fclose($in);
>>>>>> fclose($out);
>>>>>>
>>>>>> ?>
>>>>>> --- end my code ---
>>>>>
>>>>> What are the permissions on /Applications/apache/htdocs/wp-php/ ?
>>>>>
>>>>> Apache needs write permissions on that dir in order to create
>>>>> the file
>>>>> tableToCutAndPaste.txt.
>>>>>
>>>>> It's probably not a secure idea to give write permissions to
>>>>> that dir,
>>>>> so maybe create a subdir of tmp and change those permissions
>>>>> (one way):
>>>>>
>>>>> mkdir /Applications/apache/htdocs/wp-php/tmp
>>>>> chmod a+w /Applications/apache/htdocs/wp-php/tmp
>>>>>
>>>>
>>>> Also, turn on error reporting so that you can see the exact
>>>> problem. It
>>>> may not be what you think.
>>>>
>>>> --
>>>> Thanks!
>>>> -Shawn
>>>> http://www.spidean.com
>>>
>>>
>>> Thanks for the suggestions. I added the following lines to the
>>> very top
>>> of my code:
>>>
>>> error_reporting(E_ALL);
>>>
>>> mkdir("/Applications/apache/htdocs/wp-php/tmp", 0777, true);
>>> chmod("/Applications/apache/htdocs/wp-php/tmp", "a+w");
>>>
>>> and I also changed the line where it tries to open the file to
>>> write to
>>> to go to the new directory:
>>>
>>> $out =
>>> fopen("/Applications/apache/htdocs/wp-php/tmp/
>>> tableToCutAndPaste.txt",
>>> "w");
>>>
>>> Below are the errors I got:
>>> --- start errors ---
>>> Warning: mkdir() [function.mkdir]: Permission denied in
>>> /Applications/apache/htdocs/wp-php/generateTable.php on line 5
>>>
>>> Warning: chmod() [function.chmod]: No such file or directory in
>>> /Applications/apache/htdocs/wp-php/generateTable.php on line 6
>>>
>>> Warning:
>>> fopen(/Applications/apache/htdocs/wp-php/tmp/tableToCutAndPaste.txt)
>>> [function.fopen]: failed to open stream: No such file or directory in
>>> /Applications/apache/htdocs/wp-php/generateTable.php on line 9
>>>
>>> Warning: fwrite(): supplied argument is not a valid stream
>>> resource in
>>> /Applications/apache/htdocs/wp-php/generateTable.php on line 13
>>>
>>> Warning: fwrite(): supplied argument is not a valid stream
>>> resource in
>>> /Applications/apache/htdocs/wp-php/generateTable.php on line 22
>>>
>>> Warning: fwrite(): supplied argument is not a valid stream
>>> resource in
>>> /Applications/apache/htdocs/wp-php/generateTable.php on line 27
>>>
>>> Warning: fwrite(): supplied argument is not a valid stream
>>> resource in
>>> /Applications/apache/htdocs/wp-php/generateTable.php on line 28
>>>
>>> Warning: fwrite(): supplied argument is not a valid stream
>>> resource in
>>> /Applications/apache/htdocs/wp-php/generateTable.php on line 29
>>>
>>> Warning: fwrite(): supplied argument is not a valid stream
>>> resource in
>>> /Applications/apache/htdocs/wp-php/generateTable.php on line 30
>>>
>>> Warning: fwrite(): supplied argument is not a valid stream
>>> resource in
>>> /Applications/apache/htdocs/wp-php/generateTable.php on line 35
>>>
>>> Warning: fclose(): supplied argument is not a valid stream
>>> resource in
>>> /Applications/apache/htdocs/wp-php/generateTable.php on line 39
>>> --- end errors ---
>>>
>>> The permissions are as follows (sorry I didn't think to include
>>> them in
>>> my original message):
>>>
>>> [Wed Jul 01 12:28:29] ~: ls -la /Applications/apache/htdocs/wp-php/
>>> total 64
>>> drwxr-xr-x 5 mari admin 170 Jun 29 16:47 .
>>> drwxr-xr-x 24 mari admin 816 Jun 29 16:47 ..
>>> -rw-r--r-- 1 mari admin 6148 Jun 28 21:11 .DS_Store
>>> -rwxr--r-- 1 mari admin 827 Jul 1 12:26 generateTable.php
>>> -rwxr--r-- 1 mari admin 17532 Jun 28 20:53 wp.csv
>>> [Wed Jul 01 12:29:01] ~:
>>>
>>> Thank you,
>>> Mari
>>
>> That's because the apache user doesn't have permissions to create the
>> dir or change the permissions. The commands I gave you need to be run
>> from the command line.
>>
>> --
>> Thanks!
>> -Shawn
>> http://www.spidean.com
>
> Oh, duh, thank you. Doing it on the command line like you said
> worked great. I also had to edit my .csv file in TextWrangler to
> change the line breaks from \r to \r\n before it would work.
> Although the Mac's built-in firewall is set to block incoming traffic
> except for network time and something installed by Adobe when I
> installed CS4, I was wondering about the security of this technique
> if done on a production server. I only run this script by pointing
> my browser to http://localhost/wp-php/generateTable.php and I think
> with my firewall settings nobody else would be able to execute this
> script, but it seems if the tmp folder is set to world writable on a
> production server that anybody might be able to somehow upload a
> malicious file if they knew the location of tmp. Any thoughts? Thanks!
>
> Mari
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>