|
|
Posted by The Natural Philosopher on 09/20/07 00:35
Jerry Stuckle wrote:
> Gordon Burditt wrote:
>>>>> I'm writing a site where a handful of people will be able to edit
>>>>> the content using PHP scripts (FCKeditor). The content is stored as
>>>>> individual files in a directory. I'd like to validate the "editors"
>>>>> using PHP, cookies, etc.
>>>>> The question is what file permissions I need to allow for the
>>>>> content to be writable by my PHP script. Do I really need to give
>>>>> write permissions to the "other" group. Are all wikis really that
>>>>> vulnerable? (yes, I know that's the point, but for restricted wikis,
>>>>> for instance...)
>>>>> Thanks,
>>>>> Adam
>>>> The only one doing the writing will be the Apache user itself. The
>>>> system doesn't know or care who is using the editor - that's completely
>>>> between Apache and the user.
>>>>
>>>> And beware that unless you implement your own security, any of those
>>>> people will be able to edit any of the files.
>>>>
>>>> --
>>>> ==================
>>>> Remove the "x" from my email address
>>>> Jerry Stuckle
>>>> JDS Computer Training Corp.
>>>> jstuck...@attglobal.net
>>>> ==================
>>> Thanks for your reply. I am quite ignorant here, so I will see whether
>>> I can even ask a coherent follow-up. So the PHP script is run by the
>>> Apache user. Is that the user that owns Apache, or a special username?
>>
>> Often it's both.
>>
>> In a typical PHP application, there are 3 different types of users:
>>
>> OS users, stored in /etc/passwd.
>> Database users, perhaps stored in the mysql.user table. Usually a web
>> application "owns" a database user and uses it on its own behalf,
>> rather than handing out database users to people who register.
>> Web users, perhaps stored in some other database table, a text file,
>> or hardcoded somewhere. The web user is used for things like
>> identifying posts, and determining who gets to access what private
>> information.
>>
>> When a user registers for your web application, you typically give them
>> a web user and NOT an OS user.
>> Files are owned by OS users. Anything Apache and PHP can write on
>> can be written on regardless of the Web user. If you have rules
>> about what Web user can write on what other Web user's stuff, you
>> have to write code to enforce it. Web users normally don't have
>> corresponding OS users.
>>
>> If you are on a shared host, you may be able to FTP content in using
>> YOUR OS user but PHP runs as Apache's OS user. The only way to let
>> both write in the same place is to use mode 777 on directories (unless
>> they are in a common group, which they usually aren't).
>>
>
> A smart host will make users members of the group owned by the Apache
> server. Then you can use 660 (or 770 if it's executable) and be
> accessible by the owner and the web server, but not by other users.
>
>>
>>> It would seem, then, that I would want to give rwx permissions for the
>>> content files to that user alone (and myself), not do a chmod 777. Is
>>> that right?
>>
>> Standard UNIX file permissions don't allow a file to have two owners.
>>
>> You don't normally want to give x permission to any *file* that a
>> web application can write on (as distinguished from *directory*,
>> which needs x permission). x permission is for executables and
>> shell scripts.
>>
>>
>
> So why not just throw the door wide open to any hacker who could upload
> to that file and run whatever scripts he wants? :-)
>
>
How, if it is write protected?
Navigation:
[Reply to this message]
|