|
|
Posted by Jerry Stuckle on 09/18/07 22:56
The Natural Philosopher wrote:
> Jerry Stuckle wrote:
>> Adam Baker wrote:
>>> On Sep 14, 5:06 am, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>>>> Adam Baker wrote:
>>>>> Hello,
>>>>> I'm writing a site where a handful of people will be able to edit
>>>>> the content using PHP scripts (FCKeditor). The content is stored as
>>>>> individual files in a directory. I'd like to validate the "editors"
>>>>> using PHP, cookies, etc.
>>>>> The question is what file permissions I need to allow for the
>>>>> content to be writable by my PHP script. Do I really need to give
>>>>> write permissions to the "other" group. Are all wikis really that
>>>>> vulnerable? (yes, I know that's the point, but for restricted wikis,
>>>>> for instance...)
>>>>> Thanks,
>>>>> Adam
>>>> The only one doing the writing will be the Apache user itself. The
>>>> system doesn't know or care who is using the editor - that's completely
>>>> between Apache and the user.
>>>>
>>>> And beware that unless you implement your own security, any of those
>>>> people will be able to edit any of the files.
>>>>
>>>> --
>>>> ==================
>>>> Remove the "x" from my email address
>>>> Jerry Stuckle
>>>> JDS Computer Training Corp.
>>>> jstuck...@attglobal.net
>>>> ==================
>>>
>>> Thanks for your reply. I am quite ignorant here, so I will see whether
>>> I can even ask a coherent follow-up. So the PHP script is run by the
>>> Apache user. Is that the user that owns Apache, or a special username?
>>>
>>> It would seem, then, that I would want to give rwx permissions for the
>>> content files to that user alone (and myself), not do a chmod 777. Is
>>> that right?
>>>
>>> Thanks,
>>> Adam
>>>
>>
>> Every process in the machine runs under a specific user. That's what
>> determines the permissions available to the process.
>>
>> No one "owns" Apache.
>
> Well actually someone DOES. Even if its a dumnmy user like 'www-user' or
> somesuch.
>
No, someone owns the Apache Process. You could have 10 different Apache
Processes running, each "owned" by a different user.
> Unless you are dumb enough to run apache as root..and even then root
> 'owns it'
>
> A quick trawl through the PS command if you are oin unix, will show waht
> it runs as user wise.
>
> Viz n a system here
> ~$ ps -eadf | grep apache
> root 9197 1 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
> www-data 9208 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
> www-data 9209 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
> www-data 9210 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
> www-data 9213 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
> www-data 9214 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
> www-data 9787 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
> www-data 11958 9197 0 Sep17 ? 00:00:00 /usr/sbin/apache2 -k start
>
> www-data is the user who 'owns' apache and that 'user' must have read
> access to any file apache wants to deliver.
>
And you are looking at the Process.
>
> There is a user (or even more than one) which
>> owns the files Apache uses to run. And there is a user for the Apache
>> process. They may or may not be the same.
>>
>> And chmod to 777 is highly dangerous - it allows anyone on your server
>> to read and write to your files. It should never be done if you value
>> those files, IMHO.
>>
>> Rather, you should set up the users and groups to provide the
>> appropriate permissions, then set the file permissions accordingly.
>>
>
> 755 permissions are safe enough. Full read access and only user write
> access.
>
Not at all. Would you want someone else to have access to your PHP code
or private files? Say someone who signed onto the machine with SSH or
(shudder) telnet? 755 gives them those rights.
>> I'd suggest you get a book on Linux Administration. It will help you
>> with a lot of different things. And I'm not being sarcastic about the
>> suggestion; learning some of the basics of Linux administration will
>> help you understand a lot of this better - it can be quite confusing.
>>
>>
>>
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|