Closed Thread Icon

Topic awaiting preservation: Give write access to a certain file/directory only Pages that link to <a href="https://ozoneasylum.com/backlink?for=26783" title="Pages that link to Topic awaiting preservation: Give write access to a certain file/directory only" rel="nofollow" >Topic awaiting preservation: Give write access to a certain file/directory only\

 
Author Thread
H][RO
Bipolar (III) Inmate

From: Australia
Insane since: Oct 2002

posted posted 10-04-2005 05:30

Hi all, just wondering is it possible to give a certain file, or files in a directory - write access to another directory, but have everyone else not able to write to that directory?


What i have is a php CMS which creates new .php files in the webroot for the public to view. However i would like to restrict write access so the public cant write in there. The problem here is when you are using the CMS it sees you as public because your accessing it the same way.

Ive been on windows servers in the past so dont know alot about the .htaccess files etc.

So.. is it possible to setup a .htaccess file which requires a user to enter a username/password to access the phpfile. And then give this user write access to the webroot directory.

OR is it possible to give a certain php file access to write in the wwwroot directory, as i can password protect access to these files anyway.

Thanks all.

H][RO
Bipolar (III) Inmate

From: Australia
Insane since: Oct 2002

posted posted 10-04-2005 08:41

Actually im having a problem with PHP also...

When i use the mkdir function from a PHP script it seems to make "Public" the owner of the directory. If i chmod it to 755 for example - i can't delete the directory from a FTP, only from a nother php script that i run.

Alternatively if i create the directory in the FTP the same way then the php script cant delete it. Is there any way to set the OWNER of the directory when the php script creates it?

Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted posted 10-04-2005 08:50

sorry, but standard linux file permissions won't cut this, especially since you probably have only one user (the webserver user) involved.

Still, you should make sure your files are at most 600 - 660 if you want to access them via your own ftp account.

Now if you happen to have a php installation that runs as the user that owns the file, you could chown() the editing php script, chown the text file, and give it 620 (I think... look it up, might be 640 ;-)). That should work.

so long,

->Tyberius Prime

H][RO
Bipolar (III) Inmate

From: Australia
Insane since: Oct 2002

posted posted 10-04-2005 09:07

Ack.. well having some problems.

When i create the directory from the PHP script i can use chmod on the directory and change it to what i want. I can ONLY delete the directory when logged in ftp if i set the directory to 757, or 707 (as long as public is 7) because it thinks the ftp login is public.

Also i have done a CHOWN on the directory i created.

When i create a directory via php script CHOWN = 99
When i create a directory via the ftp CHOWN = 32182

Unfortunately when i create the directory and try to change the UID to 32182 froma php script it says permission denied.

TB: For your suggestion if i set files to 600 or 660 via the php script my FTP wont be able to access them at all!

Is this server working right, it just doesnt seem correct.

H][RO
Bipolar (III) Inmate

From: Australia
Insane since: Oct 2002

posted posted 10-04-2005 10:58

On another note what are the risks in having public write access (757) on my public_html directory.

The problem is my php cms creates files for new pages and needs to put them in the root, for this i need write access and since its a php script it has to be public.

What is the correct way to do this?

Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted posted 10-04-2005 16:58

Risks of having public write access on your public_html - anybody that can possibly write on the system (including the mail server, the ftp server, any other user with shell access, any broken inetd daemon) can place an evil php there to gain complete control over the webserver.


You'll need to find out
-what's your ftp user (you pass that as the username)
-what user your php scripts run under (php->get_current_user());
-what umask files are created via php by default (just create a file ,don't chmod it, look up the rights
-what umask directorys created via php have by default.

Now, on the systems I adminstrate, either php runs as your ftp user (best case), or the webserver user and your ftp user are in the same group.
That way you can at least have files 660 and not have them worldreadable.

Everything else is just waiting for something to break it's chroot.

H][RO
Bipolar (III) Inmate

From: Australia
Insane since: Oct 2002

posted posted 10-05-2005 03:01

Yeh doesnt look like thats the case, looks like webusers run th ephp.

I have found a way around it though, hopefully its secure. I just use the built in ftp functions and basically create the files that way, so its as tho i am logged in via ftp anyway. This way i can use whatever chmod restrictions i want since its as thought the ftp user is doing it all.


Any idea if there are risks associated with ftp via php?

« BackwardsOnwards »

Show Forum Drop Down Menu