By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
443,760 Members | 1,644 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 443,760 IT Pros & Developers. It's quick & easy.

Security questions regarding password protected ZIP files

P: 88
Yay guys!

I hope you all are having a warm fuzzy loveable day.

The following questions are kind of related to this thread:
Protect files (on web server) from web admin.

If one has password protected zip file:
1) where would the content temporary be extracted to (probably the OS designated temp directory, right?)

2) would the extracted content be protected? That is, would the extracted zip content (files and folders):

2.1) be hidden? (i.e. you can't see the files and folders)

2.2) not be possible to copy? (i.e. regardless if you can see the files and folders or not, you can't copy the extracted content)

Then there is the question of performance:
  • Would PHP extract the zip files for each request?
  • Or would the first request for the content be extracted and all following requests use the same extracted content?

Does this make any sense? I hope so.
Nov 8 '07 #1
Share this Question
Share on Google+
2 Replies


Atli
Expert 5K+
P: 5,058
Hi.

Just my $.02...

If one has password protected zip file:
1) That would depend on the class / extension you are using to un-zip your files. I would assume you would have a choice.

2) would the extracted content be protected? That is, would the extracted zip content (files and folders):

2.1) Nothing is hidden from the root user of your OS. So if the files will be un-zipped onto the hard-drive the root user could read it. But you would be able to un-zip them into a folder outside the web-root, so it could not be directly downloaded by HTTP clients.

2.2) If you can see a file, you can copy it (one way or another). And as with point 2.1, the root user can pretty much do everything. You should also be aware that PHP is ofter run by a 'nobody' user, so every file PHP creates should be protected from other users of the system.

Then there is the question of performance:
  • This would be the ideal security arrangement, but would result in very poor performance.
  • This would be the ideal performance arrangement, but would leave the files unprotected from the root users, and any other user that has access to it.
Nov 9 '07 #2

P: 88
Yay Atli! Thanks for your input!

1) That would depend on the class / extension you are using to un-zip your files. I would assume you would have a choice.”

Honestly. I did not see that one coming. I have been yearning to bring into play the new flashy PHP 5.2 ZIP support with all its super shiny glory for a while now, alas I have not come any closer upgrading to 5.2 yet.

Anyhow, it was the fallow up question that was of main interest:

2.1) Nothing is hidden from the root user of your OS. So if the files will be un-zipped onto the hard-drive the root user could read it. But you would be able to un-zip them into a folder outside the web-root, so it could not be directly downloaded by HTTP clients.

2.2)
If you can see a file, you can copy it (one way or another). And as with point 2.1, the root user can pretty much do everything. …”


However…

“This would be the ideal performance arrangement, but would leave the files unprotected from the root users, and any other user that has access to it.”

So basically it comes down to my two last questions? Performance VS security. If I have understood you correctly I should be able to do what ever I was trying to do, albeit it could come at a cost of losing performance.

“You should also be aware that PHP is ofter run by a 'nobody' user, so every file PHP creates should be protected from other users of the system.”
Sneaky. A user… With no name, you say. Thanks, I’ll keep a look out for that shifty thing.

I have a lot to learn in this area. I have been scratching the surface on compressing, caching and stuff. I want to apply these techniques to improve performance. I was hopping that I could use them to perfect security too. It seems that the easiest way would be to set up my own server ;)

Thanks your “PHP variable”-input (but you are not allowed to have dots in the var name!)
Nov 9 '07 #3

Post your reply

Sign in to post your reply or Sign up for a free account.