Posted by Jerry Stuckle on 09/21/07 00:47

Gordon Burditt wrote:
>>> Files are owned by OS users. Anything Apache and PHP can write on
>>> can be written on regardless of the Web user. If you have rules
>>> about what Web user can write on what other Web user's stuff, you
>>> have to write code to enforce it. Web users normally don't have
>>> corresponding OS users.
>>>
>>> If you are on a shared host, you may be able to FTP content in using
>>> YOUR OS user but PHP runs as Apache's OS user. The only way to let
>>> both write in the same place is to use mode 777 on directories (unless
>>> they are in a common group, which they usually aren't).
>>>
>> A smart host will make users members of the group owned by the Apache
>> server. Then you can use 660 (or 770 if it's executable) and be
>> accessible by the owner and the web server, but not by other users.
>
> In a hosted setup, it's likely that there is one instance of Apache,
> thus this puts all of the users in the same group. This makes 660
> or 770 just as much of a threat as 777. The threats are: other
> users, admins, and someone coming in through Apache. The admins
> and someone coming in through Apache you can't protect against with
> file permissions.
>

Incorrect. There are ways of keeping each website code within it's own
directory, i.e. the open_basedir can be set on a per-virtual host (or
per-directory) basis. Properly set, PHP will not be able to access
files of another website.

> You cannot, for example, have multiple instances of Apache listening on
> port 80 of a single IP address, and I thought assigning 255 IP addresses
> to a single web server went out with browsers that don't understand
> HTTP/1.1 and the Host: header.
>

I didn't say anything about multiple instances on port 80, did I?

There are 65,535 ports available - and all but the first 4096 (0-4095)
are available to anyone who wants them. Port 80 just happens to be the
default port for the http: protocol.

>>>> It would seem, then, that I would want to give rwx permissions for the
>>>> content files to that user alone (and myself), not do a chmod 777. Is
>>>> that right?
>>> Standard UNIX file permissions don't allow a file to have two owners.
>>>
>>> You don't normally want to give x permission to any *file* that a
>>> web application can write on (as distinguished from *directory*,
>>> which needs x permission). x permission is for executables and
>>> shell scripts.
>
>
>> So why not just throw the door wide open to any hacker who could upload
>> to that file and run whatever scripts he wants? :-)
>
> You'd even consider allowing uploads via HTTP?
>

Sure. Protections can be established.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]