Chmod: web-admin

twopeak

heullowwww

I'm having a little problem here:
I have found a web-admin (create/edit/delete files and dirs online) php script on hotscripts.com

Now this is a problem, because it doesn't have the necessary rights to create/edit/delete files and dirs.
I have read several times, that it is dangerous to give my whole root 777

could anyone tell me how I can do this, so that I don't have a security risk?

Thank you very much!

dalecosp

Originally posted by twopeak
I have read several times, that it is dangerous to give my whole root 777

What dir are you referring to as 'whole root'?

If you don't admin the box (IOW, if your scripts are run as 'nobody' or 'www' 'cause that who the 'server' runs httpd as) you have little choice: set everything world writable, or chown everything to the web-user....the only other alternative is PHP run as a CGI using suexec(), and few sysadmins (in their right mind) are going to allow that...as the handbook says, this is dangerous...

I wish there was another way.....if somebody has an idea, dalecosp is listening....

twopeak

Uhhhmmmmmm
Does this mean
"you don't have any other option than to make everything write-read-execute for owner, group and everyone (777)"?

I'm on a shared host, so my root is / (in my head, it's like that)
when I ask php for the root path (or something like that) I get
/home/site165/
and in there is a folder called web, and in that folder is everything that is shown to the visitors of my site...

I work with mac most of the time, so I don't know most of the unix stuff! (and specially not permissions stuff)

What are the risks I'm really running?
can anyone who make a phpscript say something like
move_uploaded_file($filename, "http://www.myhost.com"); (eh, syntax will be wrong, but you get the picture

or is it possible for anoyone who's on my server to do something like
move_uploaded_file($filename, "/home/site165/web/");

planetsim

Chmoding Directories isnt dangerous. Its not gonna kill anyone now is it.

I chmod Dir's alot for uploading files.
Now ive never actually had anything dangerous in the end actually happen so why would it happen to you.

btw im on a Unix server. Its safe.

dalecosp

Originally posted by twopeak
Uhhhmmmmmm
Does this mean
"you don't have any other option than to make everything write-read-execute for owner, group and everyone (777)"?

or is it possible for anoyone who's on my server to do something like
move_uploaded_file($filename, "/home/site165/web/");

That might be possible; Apache runs one process as 'root' which opens sockets on the server and forks 'children' to serve requests from the Web at large. These children run as 'www' or whatever I said up there...it's up to the admins to set up an environment were site164 can't do anything to site165. Do you use SSH/telnet or only have FTP access?

Have PHP write a file, then 'ls -l' (or 'dir', whatever) ...

-rw-rw-rw- 65534 www www 284 Aug 16 12:39 test.html

FTP a file in from outside then 'ls -l' ...

rw-rw-rw- 165 site165 users 248 Oct 24 15:49 test2.html

The real issue, in my mind is who the owner and group of the respective files is....