Re: impossible for 'other' user to chmod files?

From: Michael Austin (maustin_at_firstdbasource.com)
Date: 06/16/04 

Date: Wed, 16 Jun 2004 14:05:41 GMT

dan glenn wrote:

> (PHP 4.3.4) THIS IS DRIVING ME NUTS!
>
> I have a website where I offer members their own bit of webspace to use and
> am coding a very simple 'filemanager' that allows a user to upload, delete,
> and edit text files (members, of course, will not have normal sign-on FTP
> access to the site - I just limit them to their own folder space). I'm
> hitting a real problem with file and directory permissions, in that it seems
> I'm experiencing inconsistancies with my permissions when the user attempts
> to edit these files.
>
> One question I need answered: does the server side some how keep track of
> 'who' originally created a file or folder ('owner', 'group', 'other'), so
> that there would be a difference in later trying to apply a script-coded
> CHMOD or file-open (script-coded would be 'other'-activity) on a file
> originally uploaded by sign-on FTP ('owner'-created)??? In other words, if
> I log on through FTP and upload a file, it has 644 permissions which allow
> writes only for the 'owner' of that file. When someone is running my simple
> script, that someone is seen as 'other' (?) and therefore does not have
> write permissions and will not be allowed to edit the file. However, if
> someone uploads a file through my simple script, again the file gets 644
> permissions but now the 'owner' of the file is not an FTP sign-on user, but
> some 'other' (less exalted) user. Thus when this same someone is then trying
> to edit the file via my simple script, he IS permitted to do so since the 6
> in the same 644 permissions now applies to him, since an 'other' was the
> creator (thus 'owner') of the file. ????????????????? ARGH!!!
>
> I seem to be getting quite maddening inconsistancies in testing this out. If
> any one can tell me some simple facts about how's the best way to do this
> (allow general users of my site to manage their own little webspace), I
> would be forever in their debt...
>
> -dg
>
>

Yes, the server always knows "who" created a file... a simple 'ls -la'
will tell you. If the user is not the owner or in the group of the
owner and and the user mask is 644, then the user only has READ privs.

If you truly do not understand security concepts and their
ramifications, then I would suggest doing so before you make changes
that would make your site vulnerable.

Michael.

Relevant Pages

  • [kde-linux] Address book locked
    ... When I try to add or edit an address book entry it get ... permissions and both that file and "addressbook.vcf" are can read & write by ... owner. ...
    (KDE)
  • Re: Configuring users
    ... Currently only the owner, the DB owner or someone with system administration ... permissions can alter an sp... ... Wayne Snyder, MCDBA, SQL Server MVP ... > permission but this doesn't allow them edit. ...
    (microsoft.public.sqlserver.server)
  • Re: Dual Boot - Ability to choose WinXP or Linux on Bootup?
    ... Ummm, how do I edit the menu.lst file? ... and I can't change the permissions - something about I'm not the owner so ...
    (comp.os.linux.setup)
  • Re: Object permissions
    ... Who is the owner of the query? ... permissions does the owner have on the underlying tables? ... does the user have on the query; ... to 'owners' in the sql statement each time the code runs, ...
    (microsoft.public.access.security)
  • Re: Security without signon
    ... I cannot change the owner of the ... rather than inherited permissions by virtue of group membership. ... the default Admin user is the same across all mdw files. ... accounts plus the account for my SuperUser and the account for my SuperGroup, ...
    (microsoft.public.access.security)