|
Posted by J.O. Aho on 05/25/07 17:22
dredge wrote:
> Hi, the PHP manual says that there are three separate sets of users
> that the chmod funtion recognizes: the owner of the file, the group
> that the owner is in, and everyone else. How does the server keep
> track of who created the file? I don't see how this could be managed
> with cookies or by tracking ip addresses.
To make this to work you need a file system that supports multiple users as
ext2/ext3/ext4, reiserfs/reiser4, jfs, xfs and many more.
These file systems stores the user id, group id, privileges with other data as
creation time, file name.
If you use a single user file system like the majority of those by microsoft,
they can't store these extra data and chmod will not work.
> Also, how do I create user groups for chmod to recognize?
The system command groupadd, creating a new user you use useradd.
> The project I am working on involves users uploading files to a single
> directory on the server. The MySQL database keeps track of who
> created which file (based on the file's name and the user's username)
> and only allows the users to view files they created. My problem is
> that my php script only lists the user's files, but when they are
> viewing a file, the user may easily change the url to the name of a
> file they are not authorized to view, and then successfully view it.
Don't use direct access to the file, put them in a directory to which the file
server do not have access (you can't type an URL to see the file). Then use a
script that reads the file from the protected location, but it will only list
those files that the user is allowed to read and will display a message that
they don't have authority to see the file, if they would try to see someone
else file.
Good function to use:
http://www.php.net/manual/en/function.passthru.php
> I have no idea how to secure this system, other than using the chmod
> function.
Chmod will require that the user logs in with apache-auth, it will not work if
you use your own made login system. For making it simpler for you and so you
can run it on a microsoft server, I do suggest you put the files in a secure
location and use passthru with a check against the database before you execute
the passthru.
--
//Aho
[Back to original message]
|