Re: File permissions for a wiki-like site

Gordon Burditt wrote:
Files are owned by OS users. Anything Apache and PHP can write on
can be written on regardless of the Web user. If you have rules
about what Web user can write on what other Web user's stuff, you
have to write code to enforce it. Web users normally don't have
corresponding OS users.

If you are on a shared host, you may be able to FTP content in using
YOUR OS user but PHP runs as Apache's OS user. The only way to let
both write in the same place is to use mode 777 on directories (unless
they are in a common group, which they usually aren't).

A smart host will make users members of the group owned by the Apache server. Then you can use 660 (or 770 if it's executable) and be accessible by the owner and the web server, but not by other users.

In a hosted setup, it's likely that there is one instance of Apache,
thus this puts all of the users in the same group. This makes 660
or 770 just as much of a threat as 777. The threats are: other
users, admins, and someone coming in through Apache. The admins
and someone coming in through Apache you can't protect against with
file permissions.

Incorrect. There are ways of keeping each website code within it's own directory, i.e. the open_basedir can be set on a per-virtual host (or per-directory) basis. Properly set, PHP will not be able to access files of another website.

You cannot, for example, have multiple instances of Apache listening on
port 80 of a single IP address, and I thought assigning 255 IP addresses
to a single web server went out with browsers that don't understand
HTTP/1.1 and the Host: header.

I didn't say anything about multiple instances on port 80, did I?

There are 65,535 ports available - and all but the first 4096 (0-4095) are available to anyone who wants them. Port 80 just happens to be the default port for the http: protocol.

It would seem, then, that I would want to give rwx permissions for the
content files to that user alone (and myself), not do a chmod 777. Is
that right?
Standard UNIX file permissions don't allow a file to have two owners.

You don't normally want to give x permission to any *file* that a
web application can write on (as distinguished from *directory*,
which needs x permission). x permission is for executables and
shell scripts.

So why not just throw the door wide open to any hacker who could upload to that file and run whatever scripts he wants? :-)

You'd even consider allowing uploads via HTTP?

Sure. Protections can be established.

Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.

Relevant Pages

  • Re: FW: Legal? Road Runner proactive scanning.[Scanned]
    ... By this act you give permission ... The port they send to does not make a difference as far as ... Attaching a host to the internet is like opening your business ...
  • RE[4]: Finding web servers with nmap
    ... Suggestions for discovery web servers (I define a web server as a ... host with open port 80 serving http and, particularly, do not care about ... listening on a port or not happens. ...
  • Re: Trying to get my server working
    ... As SG pointed out...a simple google search points out that Port 80, the port for WWW is the number 1 port of attack. ... You do not have to host your own website to host your own email and webmail. ... This is primarily a web server but I am limited on funds and want to ... know the best case and then also the cheap way. ...
  • Re: Any Web Based VNC for Mac?
    ... Tom Stiller wrote: ... I can't recommend port 80, but tunneling through the ssh port works ... If that host is running a web server, ...
  • apache permission users
    ... I installed apache2 web server on debian. ... I need use this web server to host several domains ... I'm not sure how configure permission for each users. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...