Posted by Jerry Stuckle on 09/19/07 18:50

Gordon Burditt wrote:
>>>> I'm writing a site where a handful of people will be able to edit
>>>> the content using PHP scripts (FCKeditor). The content is stored as
>>>> individual files in a directory. I'd like to validate the "editors"
>>>> using PHP, cookies, etc.
>>>> The question is what file permissions I need to allow for the
>>>> content to be writable by my PHP script. Do I really need to give
>>>> write permissions to the "other" group. Are all wikis really that
>>>> vulnerable? (yes, I know that's the point, but for restricted wikis,
>>>> for instance...)
>>>> Thanks,
>>>> Adam
>>> The only one doing the writing will be the Apache user itself. The
>>> system doesn't know or care who is using the editor - that's completely
>>> between Apache and the user.
>>>
>>> And beware that unless you implement your own security, any of those
>>> people will be able to edit any of the files.
>>>
>>> --
>>> ==================
>>> Remove the "x" from my email address
>>> Jerry Stuckle
>>> JDS Computer Training Corp.
>>> jstuck...@attglobal.net
>>> ==================
>> Thanks for your reply. I am quite ignorant here, so I will see whether
>> I can even ask a coherent follow-up. So the PHP script is run by the
>> Apache user. Is that the user that owns Apache, or a special username?
>
> Often it's both.
>
> In a typical PHP application, there are 3 different types of users:
>
> OS users, stored in /etc/passwd.
> Database users, perhaps stored in the mysql.user table. Usually a web
> application "owns" a database user and uses it on its own behalf,
> rather than handing out database users to people who register.
> Web users, perhaps stored in some other database table, a text file,
> or hardcoded somewhere. The web user is used for things like
> identifying posts, and determining who gets to access what private
> information.
>
> When a user registers for your web application, you typically give them
> a web user and NOT an OS user.
>
> Files are owned by OS users. Anything Apache and PHP can write on
> can be written on regardless of the Web user. If you have rules
> about what Web user can write on what other Web user's stuff, you
> have to write code to enforce it. Web users normally don't have
> corresponding OS users.
>
> If you are on a shared host, you may be able to FTP content in using
> YOUR OS user but PHP runs as Apache's OS user. The only way to let
> both write in the same place is to use mode 777 on directories (unless
> they are in a common group, which they usually aren't).
>

A smart host will make users members of the group owned by the Apache
server. Then you can use 660 (or 770 if it's executable) and be
accessible by the owner and the web server, but not by other users.

>
>> It would seem, then, that I would want to give rwx permissions for the
>> content files to that user alone (and myself), not do a chmod 777. Is
>> that right?
>
> Standard UNIX file permissions don't allow a file to have two owners.
>
> You don't normally want to give x permission to any *file* that a
> web application can write on (as distinguished from *directory*,
> which needs x permission). x permission is for executables and
> shell scripts.
>
>

So why not just throw the door wide open to any hacker who could upload
to that file and run whatever scripts he wants? :-)


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]