|
|
Posted by jab3 on 12/30/05 06:14
Jerry Stuckle wrote:
> jab3 wrote:
> > So I'm considering a small project that involves online file storage.
> > Let's say I wanted to set up a site that allows people to log-on,
> > create an account, and then have space to upload files. The problem
> > I'm having concerns permissions, basically.
> >
> > 1) How do I automatically create users in Linux from a PHP script
> > running under Apache's uid/gid?
>
> You can't. You need to be running as root.
Yeah, similar to what Balazs said, I actually have done this by running
a program I wrote in C as setuid root, but I consider that dangerous.
I made the program very compact, dealing with untainted data, but
still. Guess that's the way to go for that though.
> >
> > 2) Once 1 is done, how, when they log back on (authenticated with SQL
> > which will keep up with their username), do I allow them access to
> > their files for download? I would like to use Linux file permissions
> > to try and have some sort of security (i.e., would like to store users'
> > files under /home/[user]/files), but how do I allow the PHP script to
> > securely access their files, when the script runs under the Apache uid?
> > Is this a job for suExec?
> >
>
> Again, you need to be running as root to be able to change file
> permissions for someone other than the Apache process.
Yep, that's my problem. :) I keep wondering how these other sites do
it (like these online photo sites, e.g. SnapFish, that give you an
account and let you upload images for others to see). I've considered
making it all managed from an SQL database and putting the files in a
PHP-accessible directory with SQL-generated ids as subdirectory names
for each user's folder and bypassing Linux permissions. But that seems
less secure.
> > Any input will be appreciated, and I will clarify anything that is
> > unclear.
> >
>
> One way to do the above is suexec. Or you can start batch jobs to do
> the work. One thing you do NOT want to do is give the Apache process
> root privileges.
I suppose I could have cron jobs that run x times an hour to move stuff
around. I'll have to look some more into suexec. And don't worry,
giving Apache root access has not occurred to me. :)
Thanks for help,
jab3
Navigation:
[Reply to this message]
|