PHP application permissions
Posted: Fri Dec 29, 2006 12:49 pm
Hi all,
I have a fairly straightforward question about the permissions I should use on the files in my PHP application. I expect this has been answered at length elsewhere on this forum and on the net, but I'd love some intelligent advice from the devnet community to avoid any security issues.
My requirements are very simple - I am working on a PHP app with a few hundred files, which will eventually be distributed as an Open Source package. Apart from a single directory, which the webserver should have write permissions for in order to write a configuration .ini file, all the files in the app need only be readable by the webserver. However, while I develop the app, I naturally need read and write permissions for all the files so I can edit them.
(N.B. I'm using Mac OS X, so assume UNIX filesystem and commands).
My confusion comes in when setting the user and group of the files. My webserver runs under user www, and I am user george on my system. So what user and group should I set the files to for development?
When I am ready to distribute the app, do I need to change user, group and/or permissions at all? And what happens when a user uploads the app to a webserver using FTP - do things get screwed up? I'm sure I could find all the answers myself by doing tests, but I'd really like to follow best practice as this is an important project.
For permissions, I guess I should use the following:
640 for files (user read and write, group read)
750 for dirs (add execute bit for both user and group)
770 for my config directory
Is this the most secure for my needs? I get in a muddle because I don't know whether I should have the files as owned by george but accessible by www by adding www to group george, or the other way round - owned by www but accessible by george.
Please help!!!
I have a fairly straightforward question about the permissions I should use on the files in my PHP application. I expect this has been answered at length elsewhere on this forum and on the net, but I'd love some intelligent advice from the devnet community to avoid any security issues.
My requirements are very simple - I am working on a PHP app with a few hundred files, which will eventually be distributed as an Open Source package. Apart from a single directory, which the webserver should have write permissions for in order to write a configuration .ini file, all the files in the app need only be readable by the webserver. However, while I develop the app, I naturally need read and write permissions for all the files so I can edit them.
(N.B. I'm using Mac OS X, so assume UNIX filesystem and commands).
My confusion comes in when setting the user and group of the files. My webserver runs under user www, and I am user george on my system. So what user and group should I set the files to for development?
When I am ready to distribute the app, do I need to change user, group and/or permissions at all? And what happens when a user uploads the app to a webserver using FTP - do things get screwed up? I'm sure I could find all the answers myself by doing tests, but I'd really like to follow best practice as this is an important project.
For permissions, I guess I should use the following:
640 for files (user read and write, group read)
750 for dirs (add execute bit for both user and group)
770 for my config directory
Is this the most secure for my needs? I get in a muddle because I don't know whether I should have the files as owned by george but accessible by www by adding www to group george, or the other way round - owned by www but accessible by george.
Please help!!!