Secure management scripting

aewarnick

I spoke with my web host recently about adding the httpd (apache) user to be a member of my users group so that both the script and the ftp user can edit files and directories without changing permissions every time the script need to write. They said that it is insecure to have my files owned by httpd. I asked them why but they never give good answers.

Is this coding a bad idea? Should I just forget about it and resort to ftp all the time? Which, by the way, is not possible in some circumstances. I would really like to manage my site without the use of ftp. Can you give me some tips/insight/warnings?

//This piece of code is in a EditFile.php page.
if(IsUserLoggedIn() && $_SESSION['un']=='MyAdminName')
{

if(isset($_POST['writeEdit']))
{//write the edited file

	$s= $_POST['fileData'];

	$s= ToUnSafeStr($s);

	echo $_POST['filePath']."<br>".aFileWrite($_POST['filePath'], 'w+', $s)." Bytes written";

}
else if(isset($_POST['readEditPath']))
{//read in the page and display for editing

	echo $_POST['readEditPath'].'<br>';

	$s= aFileRead($_POST['readEditPath']);

	$s= ToSafeStr($s);

	?>

	<form name="fileEditForm" action="<?=MakeHtmlPath(__FILE__);?>" method="post">

	<textarea name="fileData" wrap="soft" style="width:100%;" rows="30"><?=$s;?></textarea><br>

	<input name="writeEdit" type="submit" value="SAVE">

	<input type="hidden" name="filePath" value="<?=$_POST['readEditPath'];?>">

	</form>
	<?
}
}

//These two are functions in another page that are used
function ToSafeStr($s)
{
	$sz= strlen($s);

$str="";

$ind=0;

for($i= 0; $i < $sz; ++$i, ++$ind)

{

	if($s[$i]==='&')

	{

		$str.='&#38;';

	}
	else if($s[$i]==='<')

	{

		$str.='&lt;';

	}
	else if($s[$i]==='>')

	{

		$str.='&gt;';

	}

	else $str.=$s[$i];

}

return $str;
}
function ToUnSafeStr($s)
{
	$sz= strlen($s);

$str="";

$ind=0;

for($i= 0; $i < $sz; ++$i, ++$ind)

{

	if($s[$i]==='&#38')

	{

		$str.='&'; $i+=3;

	}
	else if($s[$i]==='&lt;')

	{

		$str.='<'; $i+=3;

	}
	else if($s[$i]==='&gt;')

	{

		$str.='>'; $i+=3;

	}

	else $str.=$s[$i];

}

return $str;
}

severndigital

i can see what you are trying to do, but i also understand the security risks invovled with making httpd owner of items.

why not use a webbased ftp program? there are many php based ftp clients out there that you can use.

if you want to control who can edit what parts of a page, you can write a script that will allow editing certain "snippets" or sections of code.

all in all I think there are several ways around the ftp issue. other than making httpd owner of folders/files.

if chmod is the issue, why not grant 777 permissions on the file/folder. this way all users can access it.

anyway, my 2 cents... you can give me change if you want.

chris

aewarnick

This is basically what I use to chmod my site. I created it a while back and is being improved upon slowly. But I hate the idea of php logging in and doing all of these checks to write to a file or directory. I think it can get really costly to the server.

function Login()

{

global $FtpLoginConn, $public_html;

if($FtpLoginConn) return $FtpLoginConn;

$FtpLoginConn= ftp_connect('ftp.mysite.com');

$pass= aFileRead($public_html.'/../pwdfile');

if(ftp_login($FtpLoginConn, "myuser", $pass))

return $FtpLoginConn;

else if($FtpLoginConn)

{

ftp_close($FtpLoginConn);

$FtpLoginConn=0;

}

return 0;

}



function Logout()

{

global $FtpLoginConn;

if(!$FtpLoginConn) return;

ftp_close($FtpLoginConn);

$FtpLoginConn=0;

}



class ChModClass

{

var $path;

var $ftpPath=0;
var $fileStats;

//var $safeDir= 755;

//var $safeFile= 644;



function ChModClass()

{

}

function Start($pth, $level=777)

{

	$this->path= $pth;
	$this->fileStats= stat($pth);
//if($this->fileStats['mode'] & 040000) echo $pth.": It's a directory.  Probably correct.  If not...";
//if(($this->fileStats['mode'] & 0170000) == 040000) echo "It's a directory";

	if($this->fileStats['uid'] == exec('id -u')) //'httpd', usually

	{

		chmod($this->path, octdec($level));

	}

	else

	{

		$this->ftpPath= MakeFtpPath($pth);

		ftp_site(Login(), "CHMOD ".$level." ".$this->ftpPath);

	}

}

function Finish($level)

{

	global $FtpLoginConn;

	if($this->ftpPath)

	{

		if($FtpLoginConn) ftp_site($FtpLoginConn, "CHMOD ".$level." ".$this->ftpPath);

		Logout();

	}

	else

		chmod($this->path, octdec($level));

}

function FinishDir($level= 775)

{

	$this->Finish($level);

}

function FinishFile($level= 664)

{

	$this->Finish($level);

}

}