Hello there!
I have a Fedora 1 box running Apache 2.0.50. I have installed it using Fedora RPMs.
A friend of mine has his homepage on my server and he have a PHP guestbook. The PHP file is called guestbook.php and when users submit something in his guestbook the php script writes that to a file called guestbook.txt.
This work just fine but he is worried by the permissions on the file. The guestbook.txt file have the following permissions: -rwxr-xrw-
Owner is the username of my friend and the groupowner is also my friend.
He have heard someplace that having such a file world writeable is a security risk. He tells me that the file should not be writeable for everyone but it has to be or the php script fails I tell him...
But he insists that it's possible to use this php script and write to the txt file without having all other users write permission. He says that it's a way of just giving the script permission to write to the txt file and that's a good idea because now everyone can do whatever thety want to the txt file...
The only problem is that he doesn't remember how this was done and don't know either...
How is this done by the Pro's?
Øyvind
On Tue, 2004-08-31 at 14:23, Øyvind Lode wrote:
This work just fine but he is worried by the permissions on the file. The guestbook.txt file have the following permissions: -rwxr-xrw-
Owner is the username of my friend and the groupowner is also my friend.
He have heard someplace that having such a file world writeable is a security risk. He tells me that the file should not be writeable for everyone but it has to be or the php script fails I tell him...
The only problem is that he doesn't remember how this was done and don't know either...
How is this done by the Pro's?
Not sure how the "Pro's" do it, but what you probably need to do is assign group permissions on the file to the user that php runs as. I think it is the user apache runs as which on fedora is either apache or nobody. (I think that depends on if you installed from source or RPM files)
Then you would need 770 permissions which mean the owner and the group have read/write permissions and others (the world) have no permissions on that file.
(770 translates to -rwxrwx---)
Scot L. Harris said:
On Tue, 2004-08-31 at 14:23, Ãyvind Lode wrote:
This work just fine but he is worried by the permissions on the file. The guestbook.txt file have the following permissions: -rwxr-xrw-
Then you would need 770 permissions which mean the owner and the group have read/write permissions and others (the world) have no permissions on that file.
(770 translates to -rwxrwx---)
I guess you wouldn't want execute-permissions on a txt-file either, Ie -rw-rw----
On Wed, 2004-09-01 at 03:33, HaJo Schatz wrote:
Scot L. Harris said:
On Tue, 2004-08-31 at 14:23, Ãyvind Lode wrote:
This work just fine but he is worried by the permissions on the file. The guestbook.txt file have the following permissions: -rwxr-xrw-
Then you would need 770 permissions which mean the owner and the group have read/write permissions and others (the world) have no permissions on that file.
(770 translates to -rwxrwx---)
I guess you wouldn't want execute-permissions on a txt-file either, Ie -rw-rw----
Very true.
-
HaJo Schatz -
Scot L. Harris -
Øyvind Lode