|
|
Posted by The Natural Philosopher on 09/19/07 09:38
Gordon Burditt wrote:
>>>> I'm writing a site where a handful of people will be able to edit
>>>> the content using PHP scripts (FCKeditor). The content is stored as
>>>> individual files in a directory. I'd like to validate the "editors"
>>>> using PHP, cookies, etc.
>>>> The question is what file permissions I need to allow for the
>>>> content to be writable by my PHP script. Do I really need to give
>>>> write permissions to the "other" group. Are all wikis really that
>>>> vulnerable? (yes, I know that's the point, but for restricted wikis,
>>>> for instance...)
>>>> Thanks,
>>>> Adam
>>> The only one doing the writing will be the Apache user itself. The
>>> system doesn't know or care who is using the editor - that's completely
>>> between Apache and the user.
>>>
>>> And beware that unless you implement your own security, any of those
>>> people will be able to edit any of the files.
>>>
>>> --
>>> ==================
>>> Remove the "x" from my email address
>>> Jerry Stuckle
>>> JDS Computer Training Corp.
>>> jstuck...@attglobal.net
>>> ==================
>> Thanks for your reply. I am quite ignorant here, so I will see whether
>> I can even ask a coherent follow-up. So the PHP script is run by the
>> Apache user. Is that the user that owns Apache, or a special username?
>
> Often it's both.
>
> In a typical PHP application, there are 3 different types of users:
>
> OS users, stored in /etc/passwd.
> Database users, perhaps stored in the mysql.user table. Usually a web
> application "owns" a database user and uses it on its own behalf,
> rather than handing out database users to people who register.
> Web users, perhaps stored in some other database table, a text file,
> or hardcoded somewhere. The web user is used for things like
> identifying posts, and determining who gets to access what private
> information.
>
> When a user registers for your web application, you typically give them
> a web user and NOT an OS user.
>
> Files are owned by OS users. Anything Apache and PHP can write on
> can be written on regardless of the Web user. If you have rules
> about what Web user can write on what other Web user's stuff, you
> have to write code to enforce it. Web users normally don't have
> corresponding OS users.
>
> If you are on a shared host, you may be able to FTP content in using
> YOUR OS user but PHP runs as Apache's OS user. The only way to let
> both write in the same place is to use mode 777 on directories (unless
> they are in a common group, which they usually aren't).
>
>
>> It would seem, then, that I would want to give rwx permissions for the
>> content files to that user alone (and myself), not do a chmod 777. Is
>> that right?
>
> Standard UNIX file permissions don't allow a file to have two owners.
But they do allow you to reate a group to which two users only belong,
make the file owned groupwise by that group, and set 775 permissions on
it, for example.
All my PHP files are like that..me oand one other person ina group I
called admins, and teh file is owned y user and group admins..
You can set a sticky bit somewhere in the directory umask to enforce the
group ownership on new files as well..I forget how..must set it up.
>
> You don't normally want to give x permission to any *file* that a
> web application can write on (as distinguished from *directory*,
> which needs x permission). x permission is for executables and
> shell scripts.
>
>
Yes, but normally it does little harm. Most stuff that isn't a script or
a binary won't execute anyway. PHP does not require its files to be
executable: merely readable.
Navigation:
[Reply to this message]
|