Re: Users/permissions/files - LAMP

Jerry Stuckle wrote:
> jab3 wrote:
> > So I'm considering a small project that involves online file storage.
> > Let's say I wanted to set up a site that allows people to log-on,
> > create an account, and then have space to upload files. The problem
> > I'm having concerns permissions, basically.
> >
> > 1) How do I automatically create users in Linux from a PHP script
> > running under Apache's uid/gid?
>
> You can't. You need to be running as root.

Yeah, similar to what Balazs said, I actually have done this by running
a program I wrote in C as setuid root, but I consider that dangerous.
I made the program very compact, dealing with untainted data, but
still. Guess that's the way to go for that though.

> >
> > 2) Once 1 is done, how, when they log back on (authenticated with SQL
> > which will keep up with their username), do I allow them access to
> > their files for download? I would like to use Linux file permissions
> > to try and have some sort of security (i.e., would like to store users'
> > files under /home/[user]/files), but how do I allow the PHP script to
> > securely access their files, when the script runs under the Apache uid?
> > Is this a job for suExec?
> >
>
> Again, you need to be running as root to be able to change file
> permissions for someone other than the Apache process.

Yep, that's my problem. :) I keep wondering how these other sites do
it (like these online photo sites, e.g. SnapFish, that give you an
account and let you upload images for others to see). I've considered
making it all managed from an SQL database and putting the files in a
PHP-accessible directory with SQL-generated ids as subdirectory names
for each user's folder and bypassing Linux permissions. But that seems
less secure.

> > Any input will be appreciated, and I will clarify anything that is
> > unclear.
> >
>
> One way to do the above is suexec. Or you can start batch jobs to do
> the work. One thing you do NOT want to do is give the Apache process
> root privileges.

I suppose I could have cron jobs that run x times an hour to move stuff
around. I'll have to look some more into suexec. And don't worry,
giving Apache root access has not occurred to me. :)


Thanks for help,
jab3

.

Relevant Pages

  • Re: [RFC] FUSE permission modell (Was: fuse review bits)
    ... >> root is denied all access. ... and the kernel checks the permission. ... The userspace can't enforce the permissions. ...
    (Linux-Kernel)
  • Re: MISSING PAGEFILE.SYS FILE
    ... Agree that there's a permissions problem. ... c:\ root and killed all permission groups except Everyone Group and System. ... "George Hester" wrote: ... the Everyone group includes the System account. ...
    (microsoft.public.windowsxp.general)
  • Re: MISSING PAGEFILE.SYS FILE
    ... "George Hester" wrote: ... Not a folder on C drive called root. ... There is no need to have a seperate permissions set for the System account ... Am beginning to wonder if I have a partial SP-2 installation problem. ...
    (microsoft.public.windowsxp.general)
  • Re: [PATCH 0/3] vfs: plug some holes involving LAST_BIND symlinks and file bind mounts (try #5)
    ... A process can run inside a subdirectory it doesn't have permissions to ... root, if that's how it was started - as well as having other ... to follow a /proc/pid symlink to a path that it wouldn't ordinarily be ... directory permissions or access files that aren't in their namespace ...
    (Linux-Kernel)
  • Re: Problem setting up NFS on Ubuntu
    ... I have installed Ubuntu ... > I used System - Administration - Synaptic Package Manager to include NFS ... Should I be using the GUI, and if so, how do I do that as root, ... and doesn't change the permissions displayed by ls -l ...
    (comp.os.linux.setup)