473,480 Members | 2,213 Online
Bytes | Software Development & Data Engineering Community
Create Post

Home Posts Topics Members FAQ

security and permissions

I'm just wondering about the best way to setup permissions on a website
with a php editor which modifies the html files for the user depending on
the input from forms. It seems that the .html pages need to be set with
chmod 777 in order for the php scripts to successfully write back to the
server. This doesn't really seem very secure to me and I'm sure there is a
more secure way to set this up.

At the moment the root context is owned by httpd and the files are owned
by the user/site owner although a few files lying around are owned by
admin.

Thanks for any help,

Adam
Jul 17 '05 #1
2 1763
On 2003-12-21, Brand-X <bu*********@NOSPAMhotmail.com> wrote:
I'm just wondering about the best way to setup permissions on a website
with a php editor which modifies the html files for the user depending on
the input from forms. It seems that the .html pages need to be set with
chmod 777 in order for the php scripts to successfully write back to the
server. This doesn't really seem very secure to me and I'm sure there is a
more secure way to set this up.

At the moment the root context is owned by httpd and the files are owned
by the user/site owner although a few files lying around are owned by
admin.


The user, i assume the phpeditor also connects via ftp or scp as this
user, needs rw for the files.

The httpd needs x for directories and r for files. If you want to enable
the generation of index-lists directories need to be readable too.

rwx = 6 for the user
--- = 0 for the group
r-- = 4 for the others (httpd) if file
--x = 1 for the others (httpd) if directory
--
verum ipsum factum
Jul 17 '05 #2
bu*********@NOSPAMhotmail.com says...
I'm just wondering about the best way to setup permissions on a website
with a php editor which modifies the html files for the user depending on
the input from forms. It seems that the .html pages need to be set with
chmod 777 in order for the php scripts to successfully write back to the
server. This doesn't really seem very secure to me and I'm sure there is a
more secure way to set this up.

At the moment the root context is owned by httpd and the files are owned
by the user/site owner although a few files lying around are owned by
admin.


Adam,

If you have a typical config, PHP (and Apache httpd) will be running as
the special system user called "nobody" (which *doesn't* mean just
anybody).

How we do it:
Get root to create a specific user group (eg. webapps).
Get root to grant membership of <webapps> to "nobody" (and depending on
circumstances, to yourself and anyone responsible for maintaining your
PHP scripts).
Set the group ownership of the specific upload directories to <webapps>
and the chmod to 775 rather than 777.

Geoff M
Jul 17 '05 #3
Create Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
3
4795
SQL Server Object Security
by: Noloader | last post by:
Hello, We are using Access Front End (ADP Project) and SQL Server 2000 backend. SQL Server is using NT Security. We do not want the users to access the the underlying tables. So, we went to...
Microsoft SQL Server
116
7410
Security - more complex than I thought
by: Mike MacSween | last post by:
S**t for brains strikes again! Why did I do that? When I met the clients and at some point they vaguely asked whether eventually would it be possible to have some people who could read the data...
Microsoft Access / VBA
1
4434
Console app and System.Security.SecurityException via network
by: edge | last post by:
hi, here it is my problem. My console app, reads a text file where it grabs username/password. Next, my app creates a .BAT file to trigger the command ftp:\\user:password@ftphomeaddress. ...
C# / C Sharp
0
2073
Article : Code Access Security Part - 1 (.Net FrameWork Tools Series)
by: Namratha Shah \(Nasha\) | last post by:
Hey Guys, Today we are going to look at Code Access Security. Code access security is a feature of .NET that manages code depending on its trust level. If the CLS trusts the code enough to...
.NET Framework
16
2075
Adjusting security setting to run an embedded windows control in IE
by: Marina | last post by:
Hi, I am trying to find the minimum security settings to allow a windows control embedded in IE have full trust. If I give the entire Intranet zone full trust, this works. However, this is...
ASP.NET
1
3320
Design Issue: Separating Application Security Model from the Application (Custom or User) Controls
by: Earl Teigrob | last post by:
Background: When I create a ASP.NET control (User or custom), it often requires security to be set for certain functionality with the control. For example, a news release user control that is...
ASP.NET
3
30717
System.Security.SecurityException
by: Carl | last post by:
Hi. I have my program written as a console application in C# .NET 2005. I run it from a server on the local intranet and I got this message: An unhandled exception of type...
C# / C Sharp
2
1292
declarative security on abstract classes
by: Nick | last post by:
Is there a way to do declarative security on abstract classes? I am working on a data access layer and would like to place all permission requirements on the base class so all inherited classes...
.NET Framework
2
2372
Embedding Windows Form Control to ASP .NET Security Problem
by: Budhi Saputra Prasetya | last post by:
Hi, I managed to create a Windows Form Control and put it on my ASP .NET page. I have done the suggestion that is provided by modifying the security settings. From the stack trace, I would...
ASP.NET
3
12033
Caught Exception: System.Configuration.ConfigurationErrorsException: An error occurred loading a configuration file: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicK
by: Mike | last post by:
Hi I have problem as folow: Caught Exception: System.Configuration.ConfigurationErrorsException: An error occurred loading a configuration file: Request for the permission of type...
ASP.NET
0
6918
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
7102
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
7003
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
5357
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice
1
4798
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA
0
4495
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
C# / C Sharp
0
3008
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The...
Networking - Hardware / Configuration
0
3000
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
570
muto222
php
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us