Security, suggestions

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
mikusan
Forum Contributor
Posts: 247
Joined: Thu May 01, 2003 1:48 pm

Security, suggestions

Post by mikusan »

Hi this is pretty simple, i have a script that i would like not to be accessible by users on the same server machine. I am not root and there are many users that can acces each other's information (not write of course, but read and copy are allowed).

Now the solution i am looking for has either to do with the .htaccess code, that i could not find. Or me somehow including my program off another server.

I would prefer some help with the .htaccess but i am also curious about the second option.

Thanks guys!
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Could you do:

Code: Select all

chmod o-r filename
Assuming you can

Code: Select all

chgrp www-data filename
repace www-data with whatever user your webserver runs as, often www-data, apache, or nobody.

Now the webserver can still read the file, but the local users can't.
User avatar
mikusan
Forum Contributor
Posts: 247
Joined: Thu May 01, 2003 1:48 pm

Post by mikusan »

Well wouldn't that mean that i too will not be able to see the file?
what does

Code: Select all

chgrp www-data filename
do?
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

In *nix systems using the "default"/regular file system each file has three sets of permissions -- owner, user, other -- each set can specifiy read, write, and execute permissions seperately :

So if you see "-rwxw-xr-x" this means that the file has owner read/write/execute, group read/execute and other read/execute.

Normally a file is created with the group=owner so you have something like and some default mask

Code: Select all

touch temp
ls -l temp
-rw-r--r--    1 nielsene nielsene        0 Aug 14 11:38 temp
The -l on ls tells it to do the "long" listing
The first dash on the line is normally used to show if a file is a directoty or softlink. The next three triplets show the permissions. In this case the ownder has read/write, the group has read, and others have read. The double nielsene shows the owner and group.
If I do

Code: Select all

chgrp www-data temp
chmod o-r temp
ls -l
-rw-r-----    1 nielsene www-data        0 Aug 14 11:38 temp
Notice that the group is now 'www-data' and others have lost read privileges. Nielsene, me, the owner, can still read/write the file, even if I'm not in the www-data group.
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

a lot find it easier to chmod by number, for that, remember that each group must be represented. that 0 is nothing for that segment. that 1 is execute, 2 is write and 4 is read.

thus chmodding a file at rwxr-xr-x with 640 makes it rw-r----- and broken own to be easier to read...
[rwx][r-x][r-x] chmodded to 640 becomes [r-x][r--][---]
User avatar
mikusan
Forum Contributor
Posts: 247
Joined: Thu May 01, 2003 1:48 pm

Post by mikusan »

Thanks for the detailed explanation, i had some clue on how they worked but you gave me a more detailed view, I also prefer numbers but nevertheless that's not the point,
How can I chmod a batch of files? I mean if i chmod the directory, do i have to use regression for it to chmod all the containing files or how does that work? And is this more effective than not allowing people to view my folders through a .htaccess code?

On a sidenote i have NEVER figured out how to check what group does anyone belong to. Especially because PHP writes files as another user... hence making it impossible to biew the files until i chmod the dirs through a script... i would like to find out how to determine groups and stuff...any good link to a tutorial...

Thanks
User avatar
mikusan
Forum Contributor
Posts: 247
Joined: Thu May 01, 2003 1:48 pm

Post by mikusan »

Just to reply to the above post i have ben su'ing my way through comprehending this... so i chmodded my main /var/www/html directory to look like
drwx-----x myself myself
just to note that ^ (the above) has not changed to www-data...

to my understanding that last "execute" allows people to view the page from html and therefore execute all my scripts... i don't seem to be getting your result which is

-rw-r----- 1 nielsene www-data
is that because mine is a dir and yours is a file?
what is that number right after -rw-r-----
thanks!!
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

OK. for a web-server to serve the file it needs "READ" not "EXECUTE" permission.

The number right after the permissions is the number of links that exist to the file. I beleive a directory will always show atleast 2.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Yes, when doing a directory you should probably do
chmod -R xxx dirname
so all the files inside the directory get the same changes (the -R means recursive)
Post Reply