Securely storing private images

Question

I am in need of a secure solution for storing a larger (unknown) amount of private images accessed only by a certain user. This question is not surrounding things like logins, sessions or anything like that - solely surrounding images and them being stored.

I'll start out with explaining what I am trying to achieve and then go on to things I've thought about doing.

Private images only accessible by a certain user

A user logs in to my site to upload and view images provided and uploaded by him/her. The images should only be accessible by that user - therefore a login is required. When a image is requested for viewing, the rendering is handled by a PHP-script validating the user's authority and bringing the actual image from the safe directory.

What I know, assume and think about.

Indexing images for ease of managment

Every image that gets uploaded is indexed in a database for management, ie

Title: "Me on a scooter"
User: {0E4A759A-CC31-4B0D-97E1-EEFB28F0BF86}
Filename: asuohLAFUUHJSFUhaSGFUOAHSGUA
Extension: .jpg

When the user wants to view the image, the server validates and checks if the user is indeed the owner of the image.

Keeping the public away from the images

I've read some articles explaining that it's good practice to keep files outside of the document root directory. Though I understand the concept, I don't fully understand how to do it in practice. My assumption:

/var/www/myFolder/ //here's where the html files are stored
/mySecureFolder/ //here's where the content are stored outside of the root, or on a higher level

So whenever the server should display an image it looks for it in the /mySecureFolder/ and checks if the file exists before rendering it for the user.

Assumption #2

Creating and placing an .htaccess file blocking everyone but localhost in the /mySecureFolder/ is what I should do to keep others out.

Question #1 The PHP process is running as the user www-data, is it safe to make the owner group of /mySecureFolder/ www-data?

Assumption #3 - Chmod

To allow none but one specific system user i should CHMOD the folder recursivly with 0770, allowing only the owner user and the owner group to read, write and execute permissions.

Question #2

Is using .htaccess to deny access to everyone but localhost equivalent to placing the secure folder outside the root (/var/www/myFolder/) folder?

Assumption #4 Overkill

Encrypting every image stored on the filesystem is overdoing it and - if the directory permissions are set up correctly - unnecessary.

My attack scenario is only outer attacks, hackers cannot access the server trough SSH nor via physically being at the server. The possible attacks are therefore outer attacks coming from the code I created - like injections and so on.

I hope that the possible answers might come in handy for future bypassers, therefore I would appreciate if you help me out with formatting this question to ensure it being as clear as possible.

Answer 1

The best way is to store the images outside of /www - and have them in their own directory.

Then use readfile() to 'serve' the images to the authorised user. No need to CHMOD or use htaccess etc - as it is outside the www folder and cannot be accessed except through your application.

Something like this would work:

function show_image($file_name= "")
{
    // Ensure no funny business names to prevent directory transversal etc.
    $file_name = str_replace ('..', '', $file_name);
    $file_name = str_replace ('/', '', $file_name);

    // now do the logic to check user is logged in - put your own code here
    if (LoggedInUserCanAccessThisFile())
    {
        // Serve file via readfile()
        // Images are stored in a specific user folder - so only the own user can get their own images
        readfile('../image_storage/' . getLoggedInUserID() . '/' . $file_name);
    }
}

You can read more about readfile() here from php.net

Answer 2

I am working on a similar issue; however, I may change my logic to incorporate readfile() function. But for now, I have images in a secure folder outside the public html folders. A php script reads the directory to a session array, then sorts it by file name. The second script uses html to navigate the array of filenames. When a file is selected, it is copied to a tmp public image directory and displayed via html. Before selecting the next file, the previous one is removed from the tmp directory. The original files remain in the secure folder. This may be kind of awkward, but it works well for me.