Re: File permissions for a wiki-like site



Files are owned by OS users. Anything Apache and PHP can write on
can be written on regardless of the Web user. If you have rules
about what Web user can write on what other Web user's stuff, you
have to write code to enforce it. Web users normally don't have
corresponding OS users.

If you are on a shared host, you may be able to FTP content in using
YOUR OS user but PHP runs as Apache's OS user. The only way to let
both write in the same place is to use mode 777 on directories (unless
they are in a common group, which they usually aren't).


A smart host will make users members of the group owned by the Apache
server. Then you can use 660 (or 770 if it's executable) and be
accessible by the owner and the web server, but not by other users.

In a hosted setup, it's likely that there is one instance of Apache,
thus this puts all of the users in the same group. This makes 660
or 770 just as much of a threat as 777. The threats are: other
users, admins, and someone coming in through Apache. The admins
and someone coming in through Apache you can't protect against with
file permissions.

You cannot, for example, have multiple instances of Apache listening on
port 80 of a single IP address, and I thought assigning 255 IP addresses
to a single web server went out with browsers that don't understand
HTTP/1.1 and the Host: header.

It would seem, then, that I would want to give rwx permissions for the
content files to that user alone (and myself), not do a chmod 777. Is
that right?

Standard UNIX file permissions don't allow a file to have two owners.

You don't normally want to give x permission to any *file* that a
web application can write on (as distinguished from *directory*,
which needs x permission). x permission is for executables and
shell scripts.


So why not just throw the door wide open to any hacker who could upload
to that file and run whatever scripts he wants? :-)

You'd even consider allowing uploads via HTTP?

==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxxxx
==================


.



Relevant Pages

  • RE: application for an employment
    ... given host or range of hosts. ... You send your DNS query to a server you *do* have permission ... how does Google get the address of your webserver? ...
    (Security-Basics)
  • New Module: Apache process/host manager
    ... "Apache Independent Virtual Hosts". ... the potential usefulness of this project and my current namespace. ... store host information in an SQL database, ... they mess up and their server doesn't start, ...
    (comp.lang.perl.misc)
  • Re: applications, users, groups, permissions
    ... > When apache tries to serve a file it must have permission to access ... > application file access permission questions. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". ...
    (Debian-User)
  • [UNIX] Apache 2 Cross-Site Scripting
    ... A vulnerability exists in the SSI error pages of Apache 2.0 that involves ... This particular attack involves a lack of filtering on HTTP/1.1 "Host" ... Some browsers submit the malicious host header when parsing this request: ...
    (Securiteam)
  • Re: Need Help on setting up a small home site.
    ... > host a small website of mine.Howevery, this is the first time I have ... If you can follow the Apache ... configuration connections on the LAN side. ... > of the Apache HTTP server after it has been installed. ...
    (comp.infosystems.www.servers.unix)