Page 1 of 1

file security - appreciate your opinion

Posted: Sun Dec 13, 2009 10:24 am
by jeffz2010
initial settings
----------------------------
1. re-written file:
  • a. file name: abc.php
  • b. file owner: admin
  • c. file permissions: 644
2. re-writing file:
  • a. file name: online_interface.php
  • b. file owner: apache (file created by apache server to allow future file manipulation by server)
  • c. file permissions: 644
on-line interface workings
-----------------------------------
Task: human user re-writes abc.php content, using online_interface.php manager.
Explanation: to those asking "why would anyone allow that?": say, file holds periodic report, or it is a language specific file and it needs to be amended from time to time etc.

How on-line interface works:
1. abc.php has its permission changed to 777
2. content of abc.php is replaced
3. abc.php permissions are changed to 644

doubts
---------------
1. Is file possessing apache as user more vulnerable to unauthorised access/change, than one with admin user?
2. Can apache-owned file be compromised by off-filesystem (located on different website) equivalent of online_interface.php?
3. I assume that if someone succeded to inject some file-manager into filesystem, he would be able to do whatever changes he desires, but that means that sftp credentials must have been compromised, right?

If there are some other "perils", please share your thoughts and experience.