|
|
Posted by Ugo Bellavance on 06/17/04 11:08
Richard Lynch wrote:
> Ugo Bellavance wrote:
>
>> If the needed permissions for standard PHP files and directories are
>>'r' on files and 'r-x' on directories, how can I set my umask so that
>>files and directories are always created as such? I looked up 'man
>>umask' and it seems to treat files and directories the same way. Maybe
>>that is impossible, but I logged in via FTP to a server of a web hosting
>>company, and it implements just this: creates directories as rwxr-xr-x
>>and files as rw-r--r--.
>>
>> Another thing... how should I configure ownership on the files?
>>root as owner, apache as group and no permissions for others?
>
>
> Do NOT make root as owner, unless you really really really need to.
>
> If somebody manages to alter the contents of the file, and then manages to
> make it executable, you no longer own that computer, they do.
>
> In fact, make the files owned by the apache user is what I would
> recommend, unless you really have a hard-core reason not to, PLUS you have
> considered all the ramifications.
>
> If files need to be owned by somebody else for some reason, they STILL
> should NEVER have to be owned by root -- or else you've got some serious
> security issues to consider.
>
> It's better to create a new user, with very limited and specific abilities
> to do the minimum they need to do, than to just go using 'root' access for
> things.
>
> I don't know what umask does, and I don't know what your FTP host does,
> but I do know that you can use 'find' and its '-exec' flag to change
> directories and files differently in a cron job if you need to do that.
> They'll have the wrong permissions for the brief period that they are
> created.
>
> Or, when you create the file, you can change its permissions at the time
> of creation, which is probably what the FTP program does.
>
> umask is handy, but not the "answer" to every need.
Thanks for your quick and precise reply. I'll investigate more on that
and follow your suggestions, which make a lot of sense,
Anyone has another opinion/experience on this?
Regards,
Ugo
Navigation:
[Reply to this message]
|