Re: write with cURL

Tim Greer wrote:
Jerry Stuckle wrote:

Tim Greer wrote:
Ylva Poelman wrote:

The problem is that I do not want to change an existing file, but to
create a new one, write to it and saven it.
Then the directory you create the file is needs world read, write and
execute permissions. This is assuming that the PHP script runs as
the global web server user (and it surely does given the problem you
have). So, create a directory and set it to chmod 1777 (or 0777 if
you can't add the sticky bit) and then have files created there (or
wherever you need, though it's a terribly bad idea to set the primary
web root directory itself to world writable).
World read/write is VERY BAD. It opens the website to all kinds of
potential security risks from other users on the same server.

Rather, it should be user and group read/write, and ensure the web
server itself is part of the group.


I made this suggestion because their web host appears to run Apache as
the global web server user and thus needs world write permissions to
work. I doubt the OP has permission to configure the web server in
this case and it doesn't appear their hosting provider has it set up
that way. Also, if you have the web server added to the same group
that the user belongs to (for read and write permission), you still
need to give that group write privileges all the same, which imposes
many of the same risks as setting privs for world (now it just applies
that same logic to group).


That is incorrect. It does not need global write permission. I don't have it on ANY of the servers I manage.

And no, you don't have the same exposure. With world read/write, anyone can access the files through ftp, ssh, etc. That does not have to be the case - and is very dangerous.

Granted, that would make is so the web server will have read and write
access that only root, the user themselves and the web server group
have that access to (and not just any user would, so it is better than
world), and thus it's slightly better in that regard, but it will still
allow any user's PHP script to have the same write, modify and delete
access to the user's files, since it'll run as the Apache group, too. Instead, I recommend having the host implement suPHP and not run PHP in
the Apache API, so only their user and the web server have read, write
and execute permissions. But, that's still up to their web host, and
it doesn't sound like either of these suggestions are viable options
for them.


No, this can easily be handled with the PHP configuration. Even though all sites have the same user, scripts in one site can be restricted to access only the files on that site.

If the web host doesn't offer that or won't change (they likely won't if
they're not already doing it), I'd suggest to just run PHP in CGI (if
the host offers CGI with the SuEXEC CGI wrapper), as that will provide
them with the same advantages of not having to use world (or group w/ a
shared Apache group) access to anything, though it would require a
trivial amount of knowledge with permissions and likely adding the
shebang line to the top of any PHP scripts they'd be executing. It may
come down to that or finding a web hosting provider with a better idea
of what they are doing.

CGI is not necessary. All it takes is correct configuration of the system.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxxxx
==================
.

Relevant Pages

  • Re: write with cURL
    ... as the global web server user and thus needs world write permissions ... Hence, any PHP script ran on another account, has the ... global or Apache group (it can still use Apache group to offer web root ...
    (alt.php)
  • Other way to avoid fopen() for writing access error?
    ... I am dumping some data to a text file on my web server using a PHP script ... If I don't set the permissions for the file ... Is there another way to make the file writable by my PHP script? ...
    (alt.php)
  • Re: fopen() Permission denied
    ... Thanks Alex and "samudasu," changing permissions was the key. ... need "execute" permission. ... Following I is the complete php script I am using for a simple text ...
    (comp.lang.php)
  • Re: a question about perl scripts
    ... What permissions ... I am assuming read and execute. ... You entering the path to the script to run, ... web server address always refers to my ip through A records. ...
    (Fedora)
  • Re: does php require a client is present to execute?
    ... the php script doesn't even necessarily have to output any information ... The script includes set_time_limit. ... the php script continue and execute until completion even though the ... But normally it will execute synchronously - that is, your web server ...
    (comp.lang.php)