Chmod question

Rohan_Hill

Hi, I've been having a bit of a problem here: On my webhost, I can't write to a file or directory with a PHP script unless the file or directory is chmodded to 777, so in theory anyone could write to it. This isn't normal, is it?

T_E_

In most cases, this is just how it is handled. To make the file itself it not accessible from web, just put it outside the default document folder.

If you're using a multiple user system with people having shell accounts, and you want to make the file unaccessible to other shell users, you need to make a user group with just you and the anonymous internet user / web server user (depending on your web server) and give read/write rights to that group. Group admin is sually only possible for system admin, so contact him/her.

dalecosp

Generally sysadmins want daemons that are used by the "world at large" to run with a minimum of actual privileges. Apache (as an example) generally runs as user 'nobody' or 'www' and since PHP is running on the webserver, it has the same privileges....basically very few.

This is the fundamental security issue behind things like "register_globals" now being shipped set to OFF, and why everything in php scripts should be written with an eye to security. IMO, 'get' methods are a definite NO-NO, for example, because of variable poisoning attacks, although that's minor compared to some of what's been tried. As a sysadmin, I just can't let Apache have elevated privileges, beyond those it needs to run, open sockets, and spawn children to handle user requests.

It also gives me the willies to hear of people using php web interfaces to control their servers. They're either foolish, or a lot better coders than I am (and likely, some of them are on each side of that statement).

If your FTP server will let you chgrp or chown, you might get a little headway on this, as T.E. said. I don't think most ftpd's let you do that, though....... 🙁

dalecosp