|
|
Posted by Jerry Stuckle on 09/19/07 18:36
The Natural Philosopher wrote:
> Jerry Stuckle wrote:
>> The Natural Philosopher wrote:
>>> Jerry Stuckle wrote:
>>>> Adam Baker wrote:
>>>>> On Sep 14, 5:06 am, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>>>>>> Adam Baker wrote:
>>>>>>> Hello,
>>>>>>> I'm writing a site where a handful of people will be able to
>>>>>>> edit
>>>>>>> the content using PHP scripts (FCKeditor). The content is stored as
>>>>>>> individual files in a directory. I'd like to validate the "editors"
>>>>>>> using PHP, cookies, etc.
>>>>>>> The question is what file permissions I need to allow for the
>>>>>>> content to be writable by my PHP script. Do I really need to give
>>>>>>> write permissions to the "other" group. Are all wikis really that
>>>>>>> vulnerable? (yes, I know that's the point, but for restricted wikis,
>>>>>>> for instance...)
>>>>>>> Thanks,
>>>>>>> Adam
>>>>>> The only one doing the writing will be the Apache user itself. The
>>>>>> system doesn't know or care who is using the editor - that's
>>>>>> completely
>>>>>> between Apache and the user.
>>>>>>
>>>>>> And beware that unless you implement your own security, any of those
>>>>>> people will be able to edit any of the files.
>>>>>>
>>>>>> --
>>>>>> ==================
>>>>>> Remove the "x" from my email address
>>>>>> Jerry Stuckle
>>>>>> JDS Computer Training Corp.
>>>>>> jstuck...@attglobal.net
>>>>>> ==================
>>>>>
>>>>> Thanks for your reply. I am quite ignorant here, so I will see whether
>>>>> I can even ask a coherent follow-up. So the PHP script is run by the
>>>>> Apache user. Is that the user that owns Apache, or a special username?
>>>>>
>>>>> It would seem, then, that I would want to give rwx permissions for the
>>>>> content files to that user alone (and myself), not do a chmod 777. Is
>>>>> that right?
>>>>>
>>>>> Thanks,
>>>>> Adam
>>>>>
>>>>
>>>> Every process in the machine runs under a specific user. That's
>>>> what determines the permissions available to the process.
>>>>
>>>> No one "owns" Apache.
>>>
>>> Well actually someone DOES. Even if its a dumnmy user like 'www-user'
>>> or somesuch.
>>>
>>
>> No, someone owns the Apache Process. You could have 10 different
>> Apache Processes running, each "owned" by a different user.
>>
>>> Unless you are dumb enough to run apache as root..and even then root
>>> 'owns it'
>>>
>>> A quick trawl through the PS command if you are oin unix, will show
>>> waht it runs as user wise.
>>>
>>> Viz n a system here
>>> ~$ ps -eadf | grep apache
>>> root 9197 1 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k
>>> start
>>> www-data 9208 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k
>>> start
>>> www-data 9209 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k
>>> start
>>> www-data 9210 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k
>>> start
>>> www-data 9213 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k
>>> start
>>> www-data 9214 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k
>>> start
>>> www-data 9787 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k
>>> start
>>> www-data 11958 9197 0 Sep17 ? 00:00:00 /usr/sbin/apache2 -k
>>> start
>>>
>>> www-data is the user who 'owns' apache and that 'user' must have read
>>> access to any file apache wants to deliver.
>>>
>>
>> And you are looking at the Process.
>>
>>>
>>> There is a user (or even more than one) which
>>>> owns the files Apache uses to run. And there is a user for the
>>>> Apache process. They may or may not be the same.
>>>>
>>>> And chmod to 777 is highly dangerous - it allows anyone on your
>>>> server to read and write to your files. It should never be done if
>>>> you value those files, IMHO.
>>>>
>>>> Rather, you should set up the users and groups to provide the
>>>> appropriate permissions, then set the file permissions accordingly.
>>>>
>>>
>>> 755 permissions are safe enough. Full read access and only user write
>>> access.
>>>
>>
>> Not at all. Would you want someone else to have access to your PHP
>> code or private files? Say someone who signed onto the machine with
>> SSH or (shudder) telnet? 755 gives them those rights.
>>
>
> Firstly they can't as that is all firewalled out, secondly so what? My
> code ain't that great anyway :-)
>
> If they were private files they wouldn't be accessible by a web server
> anyway.
>
Not the case in a lot of systems. Many have telnet/ssh access enabled
to allow users to access a command line prompt for various things - like
install user software.
And even if the webserver cannot access it, anyone with telnet/ssh
access can.
>
>>>> I'd suggest you get a book on Linux Administration. It will help
>>>> you with a lot of different things. And I'm not being sarcastic
>>>> about the suggestion; learning some of the basics of Linux
>>>> administration will help you understand a lot of this better - it
>>>> can be quite confusing.
>>>>
>>>>
>>>>
>>
>>
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|