How to create a folder above the root directory using php

Question

my root dir id

/var/www/html/

i want to create directory at /var/www/ ie /var/www/myfolder

i'm executing create_dir.php from

/var/www/html/site/create_dir.php

when i execute this program it's unable to create folder.

in log i'm getting permission denide. update

This is my code

<?php
$os_type=php_uname('s');
$cur_file_path=$_SERVER['PHP_SELF'];
echo "File path:$cur_file_path<br>";
$scount=substr_count($cur_file_path, '/');
echo "/ count:$scount<br>"; 
$doc_root= $_SERVER['DOCUMENT_ROOT'] ;
echo "doc root:$doc_root<br>";
if($os_type=='Linux')
{
$ds=substr_count("$cur_file_path","/");//directory seperator
echo "Count of /=$ds<br>";
}
if($os_type=='Windows')
{
$ds=substr_count("$cur_file_path","'\'");//directory seperator
}
$path="../";
for($i=1;$i<$scount;$i++)
{

    $path.="../";
}

$dir="myfolder";
exec("mkdir ".$dir);
?>

how to solve this.

Answer 1

That is a security problem as it gives read and write access to the world. It may be that your apache user does not have read/write permissions on the directory.

Here's what you do if $os_type=='Linux':

1. Make sure all files are owned by the Apache group and user. In Linux it is the www-data group and user

exec('chown -R www-data:www-data /path/to/webserver/www',$ouput,$result); 

2. Next enabled all members of the www-data group to read and write files

exec('chmod -R g+rw /path/to/webserver/www',$ouput,$result);

The php mkdir() function should now work without returning errors. You can also see the error output in $output in case of error.

There is the another way to create directory using ftp:

You can try mkdir with ftp, mkdir works with stream wrappers, so it's ok to write mkdir('ftp://user:pass@server/mydir');

OR

If you have problems with the SAFE MODE Restriction in effect i.e. if you try to create and access to subdirectorys recursive you can use ftp-lib like this.

<?php

DEFINE ('FTP_USER','yourUser');
DEFINE ('FTP_PASS','yourPassword');

/**
* Returns the created directory or false.
*
* @param Directory to create (String)
* @return Created directory or false;
*/

function mkDirFix ($path) {


        $path = explode("/",$path);
        $conn_id = @ftp_connect("localhost");
        if(!$conn_id) {
            return false;
        }
        if (@ftp_login($conn_id, FTP_USER, FTP_PASS)) {

            foreach ($path as $dir) {
                if(!$dir) {
                    continue;
                }
                $currPath.="/".trim($dir);
                if(!@ftp_chdir($conn_id,$currPath)) {
                    if(!@ftp_mkdir($conn_id,$currPath)) {
                        @ftp_close($conn_id);
                        return false;
                    }
                    @ftp_chmod($conn_id,0777,$currPath);
                }
            }
        }
        @ftp_close($conn_id);
        return $currPath;

}
?>

Maybe it helps.

Answer 2

The purpose of a "root" directory is to protect the hosting computer from malicious/buggy code that might damage information stored in other parts of the computer. It gives you an area in which you can safely do your thing while explicitly and deliberately preventing you from interfering with any data "above" your root directory. The root is as low as you can go, by design. Any host computer that has a vulnerability that would allow you to access data outside of your assigned space is a host computer begging to be hacked; you won't find many of those, hopefully.

It may be worthwhile to restructure the directories within your root directory to simulate a deeper root than what you are actually restricted to. Otherwise, it is a matter of convincing the system administrator for the host computer to allow you additional access.

In a properly designed and managed system, what you are asking for is intentionally not possible, and running into this particular roadblock is more a sign that you may need to reconsider what you want to do in light of your restrictions. Even if this is being hosted from your own computer and you are the system administrator, it would be wise to examine every possible way you can achieve the goals you hope to achieve without breaking that barrier. ANY means you implement to allow web-controlled code to break that barrier is a vulnerability in your system that someone, somewhere, is looking for an opportunity to exploit.