|
|
Posted by Gordon Burditt on 09/19/07 00:55
>> > I'm writing a site where a handful of people will be able to edit
>> > the content using PHP scripts (FCKeditor). The content is stored as
>> > individual files in a directory. I'd like to validate the "editors"
>> > using PHP, cookies, etc.
>> > The question is what file permissions I need to allow for the
>> > content to be writable by my PHP script. Do I really need to give
>> > write permissions to the "other" group. Are all wikis really that
>> > vulnerable? (yes, I know that's the point, but for restricted wikis,
>> > for instance...)
>>
>> > Thanks,
>> > Adam
>>
>> The only one doing the writing will be the Apache user itself. The
>> system doesn't know or care who is using the editor - that's completely
>> between Apache and the user.
>>
>> And beware that unless you implement your own security, any of those
>> people will be able to edit any of the files.
>>
>> --
>> ==================
>> Remove the "x" from my email address
>> Jerry Stuckle
>> JDS Computer Training Corp.
>> jstuck...@attglobal.net
>> ==================
>
>Thanks for your reply. I am quite ignorant here, so I will see whether
>I can even ask a coherent follow-up. So the PHP script is run by the
>Apache user. Is that the user that owns Apache, or a special username?
Often it's both.
In a typical PHP application, there are 3 different types of users:
OS users, stored in /etc/passwd.
Database users, perhaps stored in the mysql.user table. Usually a web
application "owns" a database user and uses it on its own behalf,
rather than handing out database users to people who register.
Web users, perhaps stored in some other database table, a text file,
or hardcoded somewhere. The web user is used for things like
identifying posts, and determining who gets to access what private
information.
When a user registers for your web application, you typically give them
a web user and NOT an OS user.
Files are owned by OS users. Anything Apache and PHP can write on
can be written on regardless of the Web user. If you have rules
about what Web user can write on what other Web user's stuff, you
have to write code to enforce it. Web users normally don't have
corresponding OS users.
If you are on a shared host, you may be able to FTP content in using
YOUR OS user but PHP runs as Apache's OS user. The only way to let
both write in the same place is to use mode 777 on directories (unless
they are in a common group, which they usually aren't).
>It would seem, then, that I would want to give rwx permissions for the
>content files to that user alone (and myself), not do a chmod 777. Is
>that right?
Standard UNIX file permissions don't allow a file to have two owners.
You don't normally want to give x permission to any *file* that a
web application can write on (as distinguished from *directory*,
which needs x permission). x permission is for executables and
shell scripts.
Navigation:
[Reply to this message]
|