Whenever we use chmod, we set different authorities to different users types like
owner, group, others, all
What I dont know is, how do define who is owner, who is group and who are others.
Can we use this while implementing login system? What I mean is, by verifying a username, I want to define if the logged in user is owner, a group or others so that I can deny access to file or folder.
May be my title does not reflect the question, if someone with rep power finds a better title, please edit it?
Are you trying to use file system permissions to allow or deny access to the files served by php, or to php scripts themselves?
This is not possible. There is always one and only one user who runs apache and php. What that user is called depends on your system: it could be called "apache" or "www" or even "nobody".
When you implement a login system to your website, you are not dealing with this. When you implement a login system, you are doing nothing more than associating a token to the current session. Then according to the token you can change the normal course of the php script (allowing or denying access, display one or another data template, etc...). But, for the operating system, there is absolutely no difference.
You should take a look at some php tutorials about authentication. If you don't want to implement one yourself, this is a viable solution:
http://framework.zend.com/manual/en/zend.auth.introduction.html
Related
My server wont allow users to write files in php, for as far as I looked this has to do with user permissions. But solving this causes a major security flaw. More information about these solutions can be found here php won't create file and here How do I give PHP write access to a directory?
So my question is instead of changing the servers permissions, is it possible to change the user's permission or permission group only after he logs into the application? In php terms after running the login() function.
I want this because I am developing an application that is an extension on the admin panel of askozia(a call center). Where each user can change and see its own data, without being able to change and see the admin settings and the data of other users. However all this data is not saved in a database but in an XML-file, so users need to be able to write to this XML-file.
You should not change the User (Which would be a bigger security hole). You want some rights for your current user.
For Windows:
http://technet.microsoft.com/en-us/library/bb727008.aspx
For Linux
http://www.computerhope.com/unix/uchmod.htm
Don't forget: The useraccount for your webserver is not the user in front of the website. You have to care about the "website viewers" permission. But your webserver account, should have all rights he need. If you would change the user, it would be the same.
The permissions that are given on the filesystem are from the user that is running the PHP instance. You cannot change the permission on runtime, but you can start a different application under a different user using sudo on *nix (and runas under Windows) to create, modify and read files.
You can check the 'web user' when it's trying to change a file to prevent malicious modifications when you want to use the standard PHP file operations (but this still requires the PHP instance to have write permissions on the file).
I'm in need of a solution to allow clients access to physical folders.
My first intention was to manually control this by using a .htpasswd file, but I was curious if any of you have come across a solution that already exists.
Something that would allow an admin to create users with passwords, and create physical folders for those users.
We have an application that stores paths in relation to users. So by default all paths are blocked. But we grant each user access to a path in our table. Then when a page is accessed we check to see if there is a record in our database for a user to have access to that particular page/path.
In coldfusion this can be done in the onRequest method before any page processing is done. You could do it on the page itself I guess. Are you looking for a plugin or just a way to do it?
I am using php/mysql on linux servers. I want to create a user sub domain for each user upon sign up. For instance, john doe --> johndoe.example.com
The issue is, we are going to allow customizations such as adding custom features for clients wanting customizations. So, is it better we automate the process or manually create sub domains for clients requiring customizations and let other users just use basic login?
And how can i automate the process if need be?
Instead of creating subdomains, have a wildcard subdomain which is mapped into one folder and with PHP figure out which user's data you want to show.
If you are using a cPanel hosting, creating a wildcard subdomain should be pretty easy and wont require any manual adjustment to the httpd.conf file. Otherwise whenever you will add individual subdomains Apache will be restarted in the background, which is not at all good.
I rephrased my answer for clearer understanding.
I've been looking for a small program/script to run on Apache that can manage user access to several folders on my website. The issue is that it's not one block of content that will require "member" status but several different folders. User 1 may have access to folder A, but not B and user 2 maybe both folders or only B.
Looking for a program that makes it easy to manage these issues for a few hundred users. It doesn't require strong passwords, just confirmation of e-mail address once. Preferably in PHP.
Take a look at Zend_Acl and this:
PHP login class
Found what I was looking for here. Have not installed yet, but documentation is good and interface looks fine.
I am creating a PHP script for my website that would allow my clients to login to their client account and view a list of files I've uploaded for them. Then they can download them without having to relogin or re enter a password.
I want to keep it secure so anyone cant come in and download the files if they know the clients name.
I've tried .htacccess, protecting the folders, etc.. but it doesnt seem to work. I've written the client login script thatl ets them login and view a list of files in their directory but I can't have them right click to download it without having them login.
Something similar can be seen here:
http://forums.cgsociety.org/showthread.php?f=76&t=808482
In the 2nd post, if you try to click delete.jpg it won't let you download it without logging in. I want this similar feature for my site.
The site is created in PHP, with a MySQL database.
The folder itself should have security permissions set that regular users do not have access to it, only whatever user runs the PHP process.
Your PHP scripts act as a passthrough for the actual file system. The users don't have permissions to see a list of files, but your scripts do. The users don't have permissions to access a file, but your scripts do so you can open them as binary files and write the data out to be sent to the user.
Do some research into PHP File Downloaders, this is fairly standard behaviour.
You could use cookies to signify that the user has been there before, and been authenticated. Make the value of the cookie be fairly random, so it can't be guessed. I would encrypt the username . timestamp and store that with the username, so username_token and that way you can time people out and force them to login, if you want, later.
Then, move the files out of the webapp directory, and have a cgi program that will show the files in the directory, and allow them to download them.
This way you can control what people see, and what actions are allowed.