I'm just wondering about the best way to setup permissions on a website
with a php editor which modifies the html files for the user depending on
the input from forms. It seems that the .html pages need to be set with
chmod 777 in order for the php scripts to successfully write back to the
server. This doesn't really seem very secure to me and I'm sure there is a
more secure way to set this up.
At the moment the root context is owned by httpd and the files are owned
by the user/site owner although a few files lying around are owned by
admin.
Thanks for any help,
Adam 2 1770
On 2003-12-21, Brand-X <bu*********@NO SPAMhotmail.com > wrote: I'm just wondering about the best way to setup permissions on a website with a php editor which modifies the html files for the user depending on the input from forms. It seems that the .html pages need to be set with chmod 777 in order for the php scripts to successfully write back to the server. This doesn't really seem very secure to me and I'm sure there is a more secure way to set this up.
At the moment the root context is owned by httpd and the files are owned by the user/site owner although a few files lying around are owned by admin.
The user, i assume the phpeditor also connects via ftp or scp as this
user, needs rw for the files.
The httpd needs x for directories and r for files. If you want to enable
the generation of index-lists directories need to be readable too.
rwx = 6 for the user
--- = 0 for the group
r-- = 4 for the others (httpd) if file
--x = 1 for the others (httpd) if directory
--
verum ipsum factum bu*********@NOS PAMhotmail.com says... I'm just wondering about the best way to setup permissions on a website with a php editor which modifies the html files for the user depending on the input from forms. It seems that the .html pages need to be set with chmod 777 in order for the php scripts to successfully write back to the server. This doesn't really seem very secure to me and I'm sure there is a more secure way to set this up.
At the moment the root context is owned by httpd and the files are owned by the user/site owner although a few files lying around are owned by admin.
Adam,
If you have a typical config, PHP (and Apache httpd) will be running as
the special system user called "nobody" (which *doesn't* mean just
anybody).
How we do it:
Get root to create a specific user group (eg. webapps).
Get root to grant membership of <webapps> to "nobody" (and depending on
circumstances, to yourself and anyone responsible for maintaining your
PHP scripts).
Set the group ownership of the specific upload directories to <webapps>
and the chmod to 775 rather than 777.
Geoff M This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Noloader |
last post by:
Hello,
We are using Access Front End (ADP Project) and SQL Server 2000
backend. SQL Server is using NT Security.
We do not want the users to access the the underlying tables. So, we
went to each table and unchecked 'Select'. We also placed an 'X' in
all columns for guest and public account.
Next, we created a view. The view has 'Select' permission given to the
|
by: Mike MacSween |
last post by:
S**t for brains strikes again!
Why did I do that? When I met the clients and at some point they vaguely
asked whether eventually would it be possible to have some people who could
read the data and some who couldn't but that it wasn't important right now.
And I said, 'sure, we can do that later'.
So now I've developed an app without any thought to security and am trying
to apply it afterwards. Doh!, doh! and triple doh!
|
by: edge |
last post by:
hi,
here it is my problem.
My console app, reads a text file where it grabs
username/password. Next, my app creates a .BAT file to
trigger the command ftp:\\user:password@ftphomeaddress.
Then, I use Process() to start the batch.
In my local machine, the app runs just fine. But the users
|
by: Namratha Shah \(Nasha\) |
last post by:
Hey Guys,
Today we are going to look at Code Access Security.
Code access security is a feature of .NET that manages code depending on its
trust level. If the CLS trusts the code enough to allow it ro run then it
will execute, the code execution depends on the permission provided to the
assembly. If the code is not trusted wnough to run or it attempts to perform
an action which doe not have the required permissions then its execution...
|
by: Marina |
last post by:
Hi,
I am trying to find the minimum security settings to allow a windows control
embedded in IE have full trust.
If I give the entire Intranet zone full trust, this works. However, this is
very broad and gives the entire zone high privleges.
I tried giving just the assembly full trust (using the full URL for the
DLL), but this doesn't seem to work.
| |
by: Earl Teigrob |
last post by:
Background:
When I create a ASP.NET control (User or custom), it often requires security to be set for certain functionality with the control. For example, a news release user control that is comprised of a DataGrid may have separate permissions for adding, deleting and updating a news item.
Problem
Up until now, I have been implementing security directly inside the control. I will test directly against the security model to see if...
|
by: Carl |
last post by:
Hi.
I have my program written as a console application in C# .NET 2005.
I run it from a server on the local intranet and I got this message:
An unhandled exception of type 'System.Security.SecurityException' occurred
in System.Data.dll
Additional information: Request for the permission of type
'System.Data.SqlClient.SqlClientPermission, System.Data, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
|
by: Nick |
last post by:
Is there a way to do declarative security on abstract classes? I am working
on a data access layer and would like to place all permission requirements on
the base class so all inherited classes contain the permissions. Is this
possible, and if so can anyone provide an example?
|
by: Budhi Saputra Prasetya |
last post by:
Hi,
I managed to create a Windows Form Control and put it on my ASP .NET page. I
have done the suggestion that is provided by modifying the security settings.
From the stack trace, I would assume that the code throws exception when it
is trying to retrieve the processes list that has certain name. Below is the
code that I use to retrieve the processes.
Process processes = Process.GetProcessesByName("xxxx");
|
by: Mike |
last post by:
Hi
I have problem as folow:
Caught Exception: System.Configuration.ConfigurationErrorsException:
An error occurred loading a configuration file: Request for the
permission of type 'System.Security.Permissions.FileIOPermission,
mscorlib, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089' failed. (machine.config) --->
System.Security.SecurityException: Request for the permission of type
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |