Posted by Jochem Maas on 03/28/05 14:51

Evert|Rooftop Solutions wrote:
> Thanx Johannes,
>
> how about making the webserver the owner of the files? Would that be a
> good idea?
> The problem is that I have a framework deployed at several clients.
> Because this are some big clients and demand high security they won't
> give me a login to their ftp or consoles.

these 'big' clients are rather missing the point aren't they?
they trust your code but not you???

> Understandable, but everytime there's an update I need to mail the files
> and they have to install it. Imagine how much time that costs when
> there's a problem after the update and they need files again. Very
> annoying.

send them big bills for wasting your time.... and make it known how
such bills can be avoided :-)

>
> I consider myself a good php scripter and I will be able to make my
> scripts secure, so I need a good reason not to build in the
> auto-updater. I can tell the server is a dedicated server for my
> project, only has a webserver running (apache).
>
> Argue with me :)

argue with the clients: giving you limited (maybe also time limited)
shell access via SSH (using public key encryption to login in) and logging
all activity is a lot securer, quick _and_ less error-prone than having
you send all your files by email, and definitely more secure than
having a webbased update tool running on their server(s).


>
> grt,
> Evert
>
> Johannes Findeisen wrote:
>
>> Hello,
>>
>> It is generally not a good idea to make scripts to everybody
>> writeable. I think that if you're implementing auto-update features in
>> PHP scripts they only could be insecure. Okay, you have one more
>> feature but what if this feature goes out of control? Be really
>> carefull when writing such applications. Maybe there are nice and
>> secure solutions which maybe work but you really should set a focus on
>> security.
>>
>> More info:
>> http://www.php.net/manual/en/function.chmod.php
>>
>> Regards
>>
>> hanez
>>
>>
>

[Back to original message]