File uploads... Unix permissions.
Moderator: General Moderators
File uploads... Unix permissions.
On a Unix box, in order to upload files to a certain directory it must have at least 707 permissions. In that state what stops other parties that share the server writing to that directory? The server is not running any open_base_directory restrictions (according to phpinfo).
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
I replied to your thread on Sitepoint but basically if the host uses suexec then you don't need the permissions you mentioned since only *you* need write access. If not then you're stuck with simple file uploads. I guess FTP'ing to localhost with your username and password, as per feyd's suggestion wouldn't add a huge amount of overhead though... file uploads aren't exactly fast in any case since most of the time will be TCP traffic.
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
Web hosts have the ability to run PHP either as a module under apache, or using CGI.bokehman wrote:ftp_connect() is not enabled on this server but it was a nice idea. Can you expand on the suexec a bit, I'm not familiar with it.
Using the module means that PHP will use the userid of apache and that's that.
Uisng CGI calls the interpreter outside of apache itself so it can be run under a different userid. suexec is an apache module which allows you to change the userid in this way so combine it with the CGI and you're able to affect the PHP userid.
Now, the great thing about apache is that you can change it's settings on a per-directory basis. So for each person's home directory on the server PHP can be run under a different userid. It makes sense to get PHP running under the userid of the account holder. Many hosts do this.
Of course, if everybody on the server is running PHP as themselves it's alot easier to restrict access to your files from other users because you can just set the permissions to yourself and nobody else.
Like I say, the quickest way to figure it out would be to create a file using PHP and then use FTP to view the ownership details on the file
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
Well, it doesn't seem too secure. I have a recursive directory read function and set it to start at ../ and it can read everything. File content is readable too... things like this...
$dbhost = 'www.*****.com';
$dbname = '*****_db';
$dbuser = '*****';
$dbpasswd = '*****';
I wasn't really too happy about the server when I took the job on. I've been on to the client and told them it's not secure but they say they don't want to change "because they are nice people and just down the road".
$dbhost = 'www.*****.com';
$dbname = '*****_db';
$dbuser = '*****';
$dbpasswd = '*****';
I wasn't really too happy about the server when I took the job on. I've been on to the client and told them it's not secure but they say they don't want to change "because they are nice people and just down the road".