While developing the Foliopress WYSIWYG we decided to create the images management on the basis of Kae Veren’s excellent KFM file manager. While we are totally happy with how KFM handles the images itself, we were unable to work with images uploaded via ftp.
Uploading images one by one through an image editor is fine, uploading twenty that way is annoying. One of the reasons to prefer WordPress over Typepad is that you do have direct access to the server via ftp. So this was clearly not acceptable. It wasn’t even possible to change the file ownership of httpd via SSH (without root permissions).
Back in SEO Images we tried to move the images, but there was a problem. Images could not be moved or deleted, even renamed. Researching more this issue we found out a problem with users and their permissions. Images uploaded by FTP belong to user fv, but PHP runs as user httpd.
So the issue is that FTP and PHP runs under different user, but these users cannot touch each other files, except reading it. We tried to set the folder owner to fv and group httpd, but newly uploaded files were still locked to PHP.
After much deliberation we came up with several potential solutions.
- One possible way would be to create some nice HTTP uploader with progress bar, where you’ll be able to upload more files. Since you cannot do it in PHP, there is an option to use flash uploader. BUT BE VERY CAREFUL, since flash uses different session than your browser, so even if your form is secure, the flash upload will not be. So if you chose flash, chose your flash uploader carefully. Security is always priority number one.
- Other option is to use FTP inside PHP. So the PHP will FTP into the folder and change the permissions when there is a file (or directory) that doesn’t belong to PHP script user. This will solve the issue, but in order to for PHP login to FTP, you have store the login information somewhere on the server. This again is a security risk. You can of course enhance the security by encrypting the login information, and change the pass-phrase for encryption every couple of hours, but for this to be really secure, you have to use second computer (possibly non-public) to generate the pass-phrase. So this solution turns out to be not really practical.
- Since this is all a permissions issue, it can all be dealt with by changing the permissions for uploaded image files to 766 and images directories to 777. This may be very dangerous, especially on cheap shared hosting who often have mod_security turned off and who do not protect the directories between clients.
But changing permission turns out to be the easiest solution and probably safest solution (safer than storing ftp login info on your server!). When your server security is high and, like us, you only need this to upload images, maybe this is what you want. If you are working with an httpd file manager but would like to be able to use FTP with it, just set the permissions of uploaded files via HTTP and also FTP to 766 and folders to 777 and you’re good to go.
In our particular case we actually had to change a bit of code to change permmissions of newly created directories in KFM to allow the FTP manager to work on the uploaded images.
@chmod( $physical_address, octdec( '0'. $kfm_default_directory_permission ) );
The great thing about this fix, is that our image manager is now totally compatible with FTP, so uploading and managing hundreds of images is no longer a concern. Together with Lightbox, SEO Images effectively becomes full scale gallery software and not just for a few images per post. Here is an example gallery of images of Vienna’s industrial south.