Reply to Re: File permissions for a wiki-like site

Your name:

Reply:


Posted by Gordon Burditt on 09/19/07 23:20

>> Files are owned by OS users. Anything Apache and PHP can write on
>> can be written on regardless of the Web user. If you have rules
>> about what Web user can write on what other Web user's stuff, you
>> have to write code to enforce it. Web users normally don't have
>> corresponding OS users.
>>
>> If you are on a shared host, you may be able to FTP content in using
>> YOUR OS user but PHP runs as Apache's OS user. The only way to let
>> both write in the same place is to use mode 777 on directories (unless
>> they are in a common group, which they usually aren't).
>>
>
>A smart host will make users members of the group owned by the Apache
>server. Then you can use 660 (or 770 if it's executable) and be
>accessible by the owner and the web server, but not by other users.

In a hosted setup, it's likely that there is one instance of Apache,
thus this puts all of the users in the same group. This makes 660
or 770 just as much of a threat as 777. The threats are: other
users, admins, and someone coming in through Apache. The admins
and someone coming in through Apache you can't protect against with
file permissions.

You cannot, for example, have multiple instances of Apache listening on
port 80 of a single IP address, and I thought assigning 255 IP addresses
to a single web server went out with browsers that don't understand
HTTP/1.1 and the Host: header.

>>> It would seem, then, that I would want to give rwx permissions for the
>>> content files to that user alone (and myself), not do a chmod 777. Is
>>> that right?
>>
>> Standard UNIX file permissions don't allow a file to have two owners.
>>
>> You don't normally want to give x permission to any *file* that a
>> web application can write on (as distinguished from *directory*,
>> which needs x permission). x permission is for executables and
>> shell scripts.


>So why not just throw the door wide open to any hacker who could upload
>to that file and run whatever scripts he wants? :-)

You'd even consider allowing uploads via HTTP?

>==================
>Remove the "x" from my email address
>Jerry Stuckle
>JDS Computer Training Corp.
>jstucklex@attglobal.net
>==================

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация