Page 2 of 2

Posted: Fri Oct 26, 2007 2:18 pm
by alex.barylski
In most shared hosting environments that I work in (I work in a lot probably upwards of of 50 different hosting companies a day - setting up software) are usually run under PHP not FTP. Although I have seen a few.

My suggestion would require running PHP as it's own user, so something like PHPSUEX...
Because I prefer to have write protection instead of *some* read protection ...
I'm missing something...If you had PHP run under a user which had ownership of the files and you set the GLOBAL permissions to 770 so nothing on the outside world could access your files but your PHP scripts could...how is that not giving you READ/WRITE protection???

Posted: Fri Oct 26, 2007 6:41 pm
by VladSun
Hockey wrote:In most shared hosting environments that I work in (I work in a lot probably upwards of of 50 different hosting companies a day - setting up software) are usually run under PHP not FTP. Although I have seen a few.

My suggestion would require running PHP as it's own user, so something like PHPSUEX...
I could agree with you, but not in this case (the OP) ... You have no prior knowledge about target's hosting environment, while .htaccess would work on ALL setups. And still, there are "a few" hosting companies run under FTP ....
Hockey wrote:I'm missing something...If you had PHP run under a user which had ownership of the files and you set the GLOBAL permissions to 770 so nothing on the outside world could access your files but your PHP scripts could...how is that not giving you READ/WRITE protection???
I meant, that if you have Apache or PHP script exploit then the less files one can write to, the more secure you are. So, if my files inside web root are not owned by Apache/PHP user and they are 644 chmoded, then one won't be able even to deface my site (that is for "write protection").

I know that there are many and various techniques to secure a hosting environment, but I think that discussing them is a little bit out of the scope of this discussion. The question was - "Can I use CHMOD to protect from direct browsing?" - the simplest answer is: "No". That's it.
Using chmod would still require a PHP wrapper script, right? So, both (htaccess and chmod) approaches would need PHP wrappers, but you approach *insists* that there should be a separate PHP user, not the Apache user - so, your solution is more complicated and there are cases which it could not be applied to.

I do like these kind of conversations, so I would be glad to continue it :)

Posted: Sun Nov 04, 2007 2:47 am
by rogersoh
target wrote:So what I'd like to do is have files like FLV Flash Videos inside a directory that is in a "web-accessible" path (http://mysite.com/protected/video.flv) but protected by CHMOD or .htaccess so people can't directly download by just going to the URL, but they can access it from a webpage by straight HTML:

<embed src="video_player.swf?file=/protected/video.flv"></embed>
If I understand your question correctly, you do not want the flv file to be download direct using its url.

I have found a way to do this. It involve the uses of 2 domain name, javascript js file and .htaccess.

Summary of what I did:

1. the javascript js file is store in a folder in domain name "A" and is protect by .htaccess to only allow access to if the referal is from domain name "B". The javascript js file consist mainly of document.write and the location of the flv file. Because it is cannot be access by direct url the flv filename and location is not known to other.

2. create the html file in domain name "B" to access the javascript file in domain name "A"

The video can then be view from the file in domain name "B".

Detail of the file, .htaccess coding is found in my blog at http://tipsonvideomaking.blogspot.com/2 ... -from.html