So I'm considering a small project that involves online file storage.
Let's say I wanted to set up a site that allows people to log-on,
create an account, and then have space to upload files. The problem
I'm having concerns permissions, basically.
1) How do I automatically create users in Linux from a PHP script
running under Apache's uid/gid?
2) Once 1 is done, how, when they log back on (authenticated with SQL
which will keep up with their username), do I allow them access to
their files for download? I would like to use Linux file permissions
to try and have some sort of security (i.e., would like to store users'
files under /home/[user]/files), but how do I allow the PHP script to
securely access their files, when the script runs under the Apache uid?
Is this a job for suExec?
Any input will be appreciated, and I will clarify anything that is
unclear.
Thanks,
jab3
9  1755 
jab3 wrote: So I'm considering a small project that involves online file storage.
Let's say I wanted to set up a site that allows people to log-on,
create an account, and then have space to upload files. The problem
I'm having concerns permissions, basically.
1) How do I automatically create users in Linux from a PHP script
running under Apache's uid/gid?
You can't. You need to be running as root.
2) Once 1 is done, how, when they log back on (authenticated with SQL
which will keep up with their username), do I allow them access to
their files for download? I would like to use Linux file permissions
to try and have some sort of security (i.e., would like to store users'
files under /home/[user]/files), but how do I allow the PHP script to
securely access their files, when the script runs under the Apache uid?
Is this a job for suExec?
Again, you need to be running as root to be able to change file
permissions for someone other than the Apache process.
Any input will be appreciated, and I will clarify anything that is
unclear.
One way to do the above is suexec. Or you can start batch jobs to do
the work. One thing you do NOT want to do is give the Apache process
root privileges.
Thanks,
jab3
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
"Jerry Stuckle" <js*******@attglobal.net> wrote in message
news:Sc******************************@comcast.com. .. jab3 wrote: So I'm considering a small project that involves online file storage.
Let's say I wanted to set up a site that allows people to log-on,
create an account, and then have space to upload files. The problem
I'm having concerns permissions, basically.
1) How do I automatically create users in Linux from a PHP script
running under Apache's uid/gid?
You can't. You need to be running as root.
What about exec( some_script )? Where some_script could be run as root
through sudo? It could be a Perl script or shell script that runs the
appropriate commands to set up the user.
Balazs
Jerry Stuckle wrote: jab3 wrote: So I'm considering a small project that involves online file storage.
Let's say I wanted to set up a site that allows people to log-on,
create an account, and then have space to upload files. The problem
I'm having concerns permissions, basically.
1) How do I automatically create users in Linux from a PHP script
running under Apache's uid/gid?
You can't. You need to be running as root.
Yeah, similar to what Balazs said, I actually have done this by running
a program I wrote in C as setuid root, but I consider that dangerous.
I made the program very compact, dealing with untainted data, but
still. Guess that's the way to go for that though.
2) Once 1 is done, how, when they log back on (authenticated with SQL
which will keep up with their username), do I allow them access to
their files for download? I would like to use Linux file permissions
to try and have some sort of security (i.e., would like to store users'
files under /home/[user]/files), but how do I allow the PHP script to
securely access their files, when the script runs under the Apache uid?
Is this a job for suExec?
Again, you need to be running as root to be able to change file
permissions for someone other than the Apache process.
Yep, that's my problem. :) I keep wondering how these other sites do
it (like these online photo sites, e.g. SnapFish, that give you an
account and let you upload images for others to see). I've considered
making it all managed from an SQL database and putting the files in a
PHP-accessible directory with SQL-generated ids as subdirectory names
for each user's folder and bypassing Linux permissions. But that seems
less secure. Any input will be appreciated, and I will clarify anything that is
unclear.
One way to do the above is suexec. Or you can start batch jobs to do
the work. One thing you do NOT want to do is give the Apache process
root privileges.
I suppose I could have cron jobs that run x times an hour to move stuff
around. I'll have to look some more into suexec. And don't worry,
giving Apache root access has not occurred to me. :)
Thanks for help,
jab3
Balazs Wellisch wrote: "Jerry Stuckle" <js*******@attglobal.net> wrote in message
news:Sc******************************@comcast.com. .. jab3 wrote: So I'm considering a small project that involves online file storage.
Let's say I wanted to set up a site that allows people to log-on,
create an account, and then have space to upload files. The problem
I'm having concerns permissions, basically.
1) How do I automatically create users in Linux from a PHP script
running under Apache's uid/gid?
You can't. You need to be running as root.
What about exec( some_script )? Where some_script could be run as root
through sudo? It could be a Perl script or shell script that runs the
appropriate commands to set up the user.
Yeah, as I told Jerry, I've done this before with a C program I wrote.
Was wondering if there was a better way as far as this option is
concerned. It's really the managing of the user's files when they log
onto the website that I've got problems figuring out. Uploading and
moving to appropriate directory (e.g., /home/'user'/files), then
browsing them for downloading again, etc.
Thanks for help,
jab3 > 2) Once 1 is done, how, when they log back on (authenticated with SQL
> which will keep up with their username), do I allow them access to
> their files for download? I would like to use Linux file permissions
> to try and have some sort of security (i.e., would like to store users'
> files under /home/[user]/files), but how do I allow the PHP script to
> securely access their files, when the script runs under the Apache uid?
> Is this a job for suExec?
>
I think it would be much simpler and just as secure to store the files
outside the web root and use a script to retrive them based on information
in a database table. So you're HTML in case of an image would look something
like this:
<img src="fileserver.php?userId=XXX&fileID=XXX">
Then the script "fileserver.php" would look up the appropriate details for
the file including its mime type and return it to the browser. It would also
be responsible for authenticating the request based on the userId. For added
security the userId can either be encrypted or stored in the session so it
doesn't have to be passed in on the URL.
Balazs
Balazs Wellisch wrote: > 2) Once 1 is done, how, when they log back on (authenticated with SQL
> which will keep up with their username), do I allow them access to
> their files for download? I would like to use Linux file permissions
> to try and have some sort of security (i.e., would like to store users'
> files under /home/[user]/files), but how do I allow the PHP script to
> securely access their files, when the script runs under the Apache uid?
> Is this a job for suExec?
>
I think it would be much simpler and just as secure to store the files
outside the web root and use a script to retrive them based on information
in a database table. So you're HTML in case of an image would look something
like this:
<img src="fileserver.php?userId=XXX&fileID=XXX">
Then the script "fileserver.php" would look up the appropriate details for
the file including its mime type and return it to the browser. It would also
be responsible for authenticating the request based on the userId. For added
security the userId can either be encrypted or stored in the session so it
doesn't have to be passed in on the URL.
Interesting. That's a good idea. Would this directory off the
web-root be owned by the apache user/group? (Doesn't the PHP script
run as the apache user?) Cause if the files were just world-readable,
I would have to figure a way to get the files there after uploading in
the first place, which presumably could just be a perl script or
something run as the owner of the directory.
Thanks for the idea,
jab3
Yeah, it would have to be owned by the apache user since I'm assuming you're
going to upload the files through the web as well. Apache will need to have
write access to it. I don't think any other user should have access to it at
all
To upload the files you'd just use move_uploaded_file(). http://www.php.net/manual/en/features.file-upload.php
B
Interesting. That's a good idea. Would this directory off the
web-root be owned by the apache user/group? (Doesn't the PHP script
run as the apache user?) Cause if the files were just world-readable,
I would have to figure a way to get the files there after uploading in
the first place, which presumably could just be a perl script or
something run as the owner of the directory.
Thanks for the idea,
jab3
Balazs Wellisch wrote: "Jerry Stuckle" <js*******@attglobal.net> wrote in message
news:Sc******************************@comcast.com. ..
jab3 wrote:
So I'm considering a small project that involves online file storage.
Let's say I wanted to set up a site that allows people to log-on,
create an account, and then have space to upload files. The problem
I'm having concerns permissions, basically.
1) How do I automatically create users in Linux from a PHP script
running under Apache's uid/gid?
You can't. You need to be running as root.
What about exec( some_script )? Where some_script could be run as root
through sudo? It could be a Perl script or shell script that runs the
appropriate commands to set up the user.
Balazs
That's one way to do it.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
jab3 wrote:
Yeah, similar to what Balazs said, I actually have done this by running
a program I wrote in C as setuid root, but I consider that dangerous.
I made the program very compact, dealing with untainted data, but
still. Guess that's the way to go for that though.
Yes, that's one way to do things.
Yep, that's my problem. :) I keep wondering how these other sites do
it (like these online photo sites, e.g. SnapFish, that give you an
account and let you upload images for others to see). I've considered
making it all managed from an SQL database and putting the files in a
PHP-accessible directory with SQL-generated ids as subdirectory names
for each user's folder and bypassing Linux permissions. But that seems
less secure.
Why not just keep everything owned by the Apache process? Protect
access to the files through a download script, .htaccess, or some
similar way.
Even if you do change the ownership of the files you won't be more or
less secure. They'll all be access via the Apache uid anyway.
I suppose I could have cron jobs that run x times an hour to move stuff
around. I'll have to look some more into suexec. And don't worry,
giving Apache root access has not occurred to me. :)
One of the worst ways to do things.
Thanks for help,
jab3
As I said - I just keep everything owned by Apache. Membership is
managed through a MySQL database or .htaccess.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
================== This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Dennis C. Drumm |
last post by:
Is there one place (local xml file, registry, etc.) that all user can read
and write to??
I have some settings that applicable to all users, but when a restricted
rights user start my...
|
by: jd |
last post by:
I am playing about with the Personal Web Site Starter Kit. It uses a
database called ASPNETDB.MDF for loggin users into the site.
I have successfuly added users using the ASP.NET Configuration...
|
by: Zabby |
last post by:
hi,
i want to turn on/turn off a usb lamp via a vb.net button...
i think i would have to turn on/turn off the power for this usb port....
how could i do this?
kind regards
|
by: Yogee |
last post by:
Hello all,
I dont know the exact group where I should post my questions. So, I m
doing it on most of the groups which support components of LAMP stack.
My client wants to use WAMP ( Windows +...
|
by: google |
last post by:
I have a few general questions. I am working on a new database to be
used within my company. I would like to give a couple of people,
particularly HR, the ability to add and delete Access users,...
|
by: none |
last post by:
Hello:
I had a nice php application running on my server here at home, and I
uploaded it to a shared public type server and it started to break all
over the place. It turns out that some...
|
by: hamarsheh |
last post by:
please i need you'r help .. we are designing a web site and we need a critical code in php for security , we have to read users permissions on files in the local network ,to give them the real...
|
by: Kesavan |
last post by:
I install apache2 in /usr/local/apache2
and install php5 by ./configure --with-apxs2=/usr/local/apache2/bin/
apxs
PHP is successfully installed in my system.
But now my .php files inside...
|
by: Marco A. Cruz Quevedo |
last post by:
Hi everybody,
I am building php-5.2.6 with the following options:
.. . . . . . . . . . . . . . . . . . . .
--prefix=/usr --with-mysql=shared,/usr --with-zlib=/usr --with-apxs2 --...
|
by: CloudSolutions |
last post by:
Introduction:
For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
|
by: ryjfgjl |
last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
| |
