What is the safest chmod for a web app to write into a simple .txt file, and it should not be accessible by the public.
Thanks,
Jean
Do you mean not accessible to the public via a web server? You would need to use a .htaccess file to limit access.
PHP will most likely be hosted through the apache process or as a CGI probably running under the same user as the apache process, so chmod wouldn't work in 90% of cases.
If your PHP process runs as another user, you can only allow r/w for the public. But if you mean not accessible by the public through your web server, you can use .htaccess do deny access to it.
Related
I have a question about file permission in linux .
Let's suppose I have hosted a index.php file in my machine. The file can be read in browser.But I wanted to make it such like it should be viewable in browser but should not accessible from my machine.
Is there any way so I can restrict someone to access it from my machine folder but can be read via browser?
P.S:- He/She has a low privileged shell.
The webserver runs as some user, for example apache. Make the file owned by apache with permission 600. This makes it available to user apache and no-one else.
Is it possible to set root permissions for php script
and manipulate with system folders:
For example:
I want to monitor file changes in specific folder and display it to browser
try using sudo http://www.gratisoft.us/sudo/
an example of using sudo in php.net http://www.php.net/manual/en/function.exec.php#56274
You should take the other way round: Make the script readable (and only readable) for the user PHP is running under.
Allowing PHP to run with root rights with access from outside (=> browser) is .. just stupid.
yes, it is possible but not recommended unless your server is internal. In other words, if noone will have access to your server, you can do that, such as an internal application. exposing this to the world is highly discouraged.
How you can do this is to set your process to sudoers. if you are using this via httpd you can set the httpd process to sudoers.
The Config:
Webserver Apache 2.2 / mod_php 5.3 (FreeBSD 8)
User websites:
/home/user/public_html
Platform files
/usr/local/myPlatform/
The Premise:
Each vhost in the apache config has the platform directory aliased to /myPlatform so it can be accessed via hxxp://www.mysite.com/myPlatform - This is to keep the source of the platform system safe from be being stolen by a user.
The Problem:
The platform directory is 500 owned by the apache user. This is good and keeps the shell users from being able to view the files and still allows apache to read and exec the php files. However, one could conceivably create a PHP script (which runs as apache) to parse the directory listing, copy the files and give them as a zip download or something to the person. Obviously this obscure and more or less unlikely but still possible.
Is there any way to prevent this? IE blacklist that directory from fopen, shell, and shell_exec commands?
For that matter, is there a way to do this in such away that works for all server side scripting languages such as perl, in addition to php?
Possible to do this without suPHP or suExec?
This problem occurred to me multiple times now, and it's time for me to do it the right way!
How can I upload a website to the server, where php has access to the folders for writing data.
Usually I use an FTP program, but I can't upload as root, so there are restriction problems all over the place...
How do you do stuff like this?
Thanks!
EDIT
I'm sorry, I accidentally added rails to the tags instead off php.
Probably I need to clarify my problem, since the answers didn't really help me out here:
I already have a server running apache, DirectAdmin and some other stuff like rails.
And the problem is when I upload a website like joomla or wordpress via FTP the restrictions always need to be set to 777/775 or these sites can't write to the folders..
So what I need to know is:
How can I upload these sites (via FTP/SSH) as a user (root) that is the same as php, so that php can create files in all folders it needs to write to?
Hope I'm being more clear now, thanks for the help so far!
Use a server with ssh access and full write access to wherever your Rails app is hosted (and usually ssh access is as the user that Rails runs as).
For me this usually means a VPS type server, I like Rackspace Cloud which turns out to be around $11 - $15 per month for a low traffic, low spec server. I've also heard good things about Linode
The solution
Upload your site with FTP
SSH to the server and go to the public_html folder
chown -R [user_name]:[group_name] [folder_name]
For me the right user was apache..
How can you allow a PHP script to write to a file with high-security restrictions, such as only allowing a single user to write to it?
The difficulty seems to be that a PHP script is running as a low-permissions user (maybe apache, or www, or nobody?), and even if I chown apache the_writable_file, the directory it's in might not be writable for the low-level user. In general, what's the usual way that PHP can work with local files in a secure way?
Unfortunately, in shared hosts that use mod_php, there is no way to restrict access to secure files to your web app and login user.
The solution is to run your web app as your login user. When you do that, UNIX file permissions can correctly lock everyone else out. There are several ways to implement that, including SuExec, suPHP, or running PHP with FastCGI with mod_fcgid or mod_proxy_fcgid. FastCGI is my favorite way.
Another solution is to use a dedicated host or virtual private server.
Sure, chgrp apache the_writable_file and chmod g+w the_writable_file. After that, only your secure user and the apache user will be able to write to the file. Since the apache user is typically forbidden from logging in, you only have to worry about web users writing to your secure file using through the http daemon.
All the containing folders need to have execute permissions.
For example, if the file's in /foo/bar/the_writable_file, the directories "foo" and "bar" both need to have executable permission to access the_writable_file, even if they don't have read/write permission.