I'm using the following directory for php.ini photo uploads on apache - redhat/AWS
drwxrwxr-x 2 user2 user2 4096 Mar 4 08:10 datingPhotoUploads
Apache is running as the user 'apache'.
How can I give this folder permissions so the user 'apache' can write to it but otherwise its as secure as possible?
thankyou
Usually the upload_tmp_dir is /tmp. This /tmp directory as some special rights (chmod 1777), where the really special right is the 1. This is the sticky bit. It means, for directories, files created in this directory can only be deleted by the file owner, even if any other rwx rights seems to apply on file.
So having uploaded files stored in a temporary folder with 1777 rights uploaded by apache users means only apache can delete theses files. A good starting point.
You could use this right on your datingPhotoUploads directory. But you could also try to manage it with group ownership of the directory (chmod user2:apache; chmod 2770 datingPhotoUploads;). Here the 770 part of chmod means read and write and delete for user and group owner of the chmod part. The 2 means every file created on this directory will have the same ownership as the directory, so user2:apache.
The main problems of upload_tmp_dir are:
/tmp but /some/where/datingPhotoUpload, apache must be able to read directories content for /some and /some/where. So the x right part must be set for others (or for group if apache is the group owner) for all theses preceding paths./tmp, this directory is available for all PHP application running on your host. Altering upload_tmp_dir on a per-application basis can restrict access to other applications, especially if you set open_basedir restrictions on all php applications and that only the current application allows /some/where/datingPhotoUpload in the open_basedir setting.