You are here: Re: Flat file security « PHP Programming Language « IT news, forums, messages
Re: Flat file security

Posted by Gary L. Burnore on 10/03/05 14:23

On 3 Oct 2005 04:02:57 -0700, "Ray" <raykyoto@gmail.com> wrote:

>Peter van Schie wrote:
>> raykyoto@gmail.com wrote:
>> > I can do #1 and I was wondering if that is sufficient. As the non-root
>> > user, I guess I cannot do #2... Can I also move the php scripts that
>> My pick would also be option #1. Moving the php scripts outside the
>> webdirectory is not only not necessary, but also impossible if you still
>> want to execute them from the web.
>
>Ah, I see. I didn't know it would not be possible to run php scripts
>if they are outside the web directory. Thanks!

Well, actually, you can. There are, of course, multiple ways of doing
so.

>
>> > 1) directory of the php scripts that writes the flat files
>> > -rwx---r-x
>> >
>> > 2) the php scripts that writes the flat files
>> > -rwx---r-x
>> >
>> > 3) the directory of the flat files
>> > -rwx---rwx
>> >
>> > 4) the flat files themselves
>> > -rwx---rw-
>> I'm not sure why you leave all the group permissions empty and why other
>> (world) do get permissions. If the webserver user is the owner of the
>> flat files directory, you can change that to -rwx------
>> Same goes for the flat files themselves.
>
>Hmmm...I noticed the files are made by the user www-data. I guess I
>didn't know what privileges it had. I enabled the world permissions
>for the directories and files for it...

Bad idea.
>
>I also tried chown'ing the file so that www-data owns it. I also tried
>to create a group so that only I and www-data are in it. Neither seems
>to work as I'm not the root user.

Yep. You need root access to change the owner on a good Unix.
>
>But, say I could make files owned by www-data and give it -rwx------.
>How could I read them?
>
>> No, not as long as PHP works on the webserver, because the script gets
>> interpreted by the webserver and only the output of the scripts is being
>> sent to the client (webbrowser).

Unless, of course, you've got a bug in your php code. Any simple
mistake could lead to opening your source to the world.

>Since php is server-side code, this is what I thought; but I also was
>worried that there is some way to get around it. Thanks for confirming
>to me that there isn't.
>
>Ray

--
gburnore@databasix dot com
---------------------------------------------------------------------------
How you look depends on where you go.
---------------------------------------------------------------------------
Gary L. Burnore | ÝÛ³ºÝ³Þ³ºÝ³³Ýۺݳ޳ºÝ³Ý³Þ³ºÝ³ÝÝÛ³
| ÝÛ³ºÝ³Þ³ºÝ³³Ýۺݳ޳ºÝ³Ý³Þ³ºÝ³ÝÝÛ³
DataBasix | ÝÛ³ºÝ³Þ³ºÝ³³Ýۺݳ޳ºÝ³Ý³Þ³ºÝ³ÝÝÛ³
| ÝÛ³ 3 4 1 4 2 ݳ޳ 6 9 0 6 9 ÝÛ³
Black Helicopter Repair Svcs Division | Official Proof of Purchase
===========================================================================
Want one? GET one! http://signup.databasix.com
===========================================================================

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация