|
|
Posted by The Natural Philosopher on 09/19/07 09:33
Jerry Stuckle wrote:
> The Natural Philosopher wrote:
>> Jerry Stuckle wrote:
>>> Adam Baker wrote:
>>>> On Sep 14, 5:06 am, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>>>>> Adam Baker wrote:
>>>>>> Hello,
>>>>>> I'm writing a site where a handful of people will be able to
>>>>>> edit
>>>>>> the content using PHP scripts (FCKeditor). The content is stored as
>>>>>> individual files in a directory. I'd like to validate the "editors"
>>>>>> using PHP, cookies, etc.
>>>>>> The question is what file permissions I need to allow for the
>>>>>> content to be writable by my PHP script. Do I really need to give
>>>>>> write permissions to the "other" group. Are all wikis really that
>>>>>> vulnerable? (yes, I know that's the point, but for restricted wikis,
>>>>>> for instance...)
>>>>>> Thanks,
>>>>>> Adam
>>>>> The only one doing the writing will be the Apache user itself. The
>>>>> system doesn't know or care who is using the editor - that's
>>>>> completely
>>>>> between Apache and the user.
>>>>>
>>>>> And beware that unless you implement your own security, any of those
>>>>> people will be able to edit any of the files.
>>>>>
>>>>> --
>>>>> ==================
>>>>> Remove the "x" from my email address
>>>>> Jerry Stuckle
>>>>> JDS Computer Training Corp.
>>>>> jstuck...@attglobal.net
>>>>> ==================
>>>>
>>>> Thanks for your reply. I am quite ignorant here, so I will see whether
>>>> I can even ask a coherent follow-up. So the PHP script is run by the
>>>> Apache user. Is that the user that owns Apache, or a special username?
>>>>
>>>> It would seem, then, that I would want to give rwx permissions for the
>>>> content files to that user alone (and myself), not do a chmod 777. Is
>>>> that right?
>>>>
>>>> Thanks,
>>>> Adam
>>>>
>>>
>>> Every process in the machine runs under a specific user. That's what
>>> determines the permissions available to the process.
>>>
>>> No one "owns" Apache.
>>
>> Well actually someone DOES. Even if its a dumnmy user like 'www-user'
>> or somesuch.
>>
>
> No, someone owns the Apache Process. You could have 10 different Apache
> Processes running, each "owned" by a different user.
>
>> Unless you are dumb enough to run apache as root..and even then root
>> 'owns it'
>>
>> A quick trawl through the PS command if you are oin unix, will show
>> waht it runs as user wise.
>>
>> Viz n a system here
>> ~$ ps -eadf | grep apache
>> root 9197 1 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k
>> start
>> www-data 9208 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k
>> start
>> www-data 9209 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k
>> start
>> www-data 9210 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k
>> start
>> www-data 9213 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k
>> start
>> www-data 9214 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k
>> start
>> www-data 9787 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k
>> start
>> www-data 11958 9197 0 Sep17 ? 00:00:00 /usr/sbin/apache2 -k
>> start
>>
>> www-data is the user who 'owns' apache and that 'user' must have read
>> access to any file apache wants to deliver.
>>
>
> And you are looking at the Process.
>
>>
>> There is a user (or even more than one) which
>>> owns the files Apache uses to run. And there is a user for the
>>> Apache process. They may or may not be the same.
>>>
>>> And chmod to 777 is highly dangerous - it allows anyone on your
>>> server to read and write to your files. It should never be done if
>>> you value those files, IMHO.
>>>
>>> Rather, you should set up the users and groups to provide the
>>> appropriate permissions, then set the file permissions accordingly.
>>>
>>
>> 755 permissions are safe enough. Full read access and only user write
>> access.
>>
>
> Not at all. Would you want someone else to have access to your PHP code
> or private files? Say someone who signed onto the machine with SSH or
> (shudder) telnet? 755 gives them those rights.
>
Firstly they can't as that is all firewalled out, secondly so what? My
code ain't that great anyway :-)
If they were private files they wouldn't be accessible by a web server
anyway.
>>> I'd suggest you get a book on Linux Administration. It will help you
>>> with a lot of different things. And I'm not being sarcastic about
>>> the suggestion; learning some of the basics of Linux administration
>>> will help you understand a lot of this better - it can be quite
>>> confusing.
>>>
>>>
>>>
>
>
Navigation:
[Reply to this message]
|