|
|
Posted by The Natural Philosopher on 09/18/07 18:03
Jerry Stuckle wrote:
> Adam Baker wrote:
>> On Sep 14, 5:06 am, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>>> Adam Baker wrote:
>>>> Hello,
>>>> I'm writing a site where a handful of people will be able to edit
>>>> the content using PHP scripts (FCKeditor). The content is stored as
>>>> individual files in a directory. I'd like to validate the "editors"
>>>> using PHP, cookies, etc.
>>>> The question is what file permissions I need to allow for the
>>>> content to be writable by my PHP script. Do I really need to give
>>>> write permissions to the "other" group. Are all wikis really that
>>>> vulnerable? (yes, I know that's the point, but for restricted wikis,
>>>> for instance...)
>>>> Thanks,
>>>> Adam
>>> The only one doing the writing will be the Apache user itself. The
>>> system doesn't know or care who is using the editor - that's completely
>>> between Apache and the user.
>>>
>>> And beware that unless you implement your own security, any of those
>>> people will be able to edit any of the files.
>>>
>>> --
>>> ==================
>>> Remove the "x" from my email address
>>> Jerry Stuckle
>>> JDS Computer Training Corp.
>>> jstuck...@attglobal.net
>>> ==================
>>
>> Thanks for your reply. I am quite ignorant here, so I will see whether
>> I can even ask a coherent follow-up. So the PHP script is run by the
>> Apache user. Is that the user that owns Apache, or a special username?
>>
>> It would seem, then, that I would want to give rwx permissions for the
>> content files to that user alone (and myself), not do a chmod 777. Is
>> that right?
>>
>> Thanks,
>> Adam
>>
>
> Every process in the machine runs under a specific user. That's what
> determines the permissions available to the process.
>
> No one "owns" Apache.
Well actually someone DOES. Even if its a dumnmy user like 'www-user' or
somesuch.
Unless you are dumb enough to run apache as root..and even then root
'owns it'
A quick trawl through the PS command if you are oin unix, will show waht
it runs as user wise.
Viz n a system here
~$ ps -eadf | grep apache
root 9197 1 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 9208 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 9209 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 9210 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 9213 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 9214 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 9787 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 11958 9197 0 Sep17 ? 00:00:00 /usr/sbin/apache2 -k start
www-data is the user who 'owns' apache and that 'user' must have read
access to any file apache wants to deliver.
There is a user (or even more than one) which
> owns the files Apache uses to run. And there is a user for the Apache
> process. They may or may not be the same.
>
> And chmod to 777 is highly dangerous - it allows anyone on your server
> to read and write to your files. It should never be done if you value
> those files, IMHO.
>
> Rather, you should set up the users and groups to provide the
> appropriate permissions, then set the file permissions accordingly.
>
755 permissions are safe enough. Full read access and only user write
access.
> I'd suggest you get a book on Linux Administration. It will help you
> with a lot of different things. And I'm not being sarcastic about the
> suggestion; learning some of the basics of Linux administration will
> help you understand a lot of this better - it can be quite confusing.
>
>
>
Navigation:
[Reply to this message]
|