I was starting to make and test some pages for web based file management using PHP (4.3.2) with Apache (2.0.46) on a FreeBSD (4.8) Server.
The pages of course would be secured with ssl and use .htaccess files combined with mod_auth_pgsql to provide logins. Apache is running as user nobody, so I had switch the directories and files be owned by user nobody, with security of 0744 on files and 0755 on directories. Since users will not be given local login access or ftp access, my first thought was that this is OK. But what is to stop user1 from uploading a PHP script that will delete, modify files in user2's directory?? I realize that I could make this somewhat harder buy placing users files behind randomly generated directory names. Making it harder for user1 to guess that user2's files are in a directory named 370261, but this is only makes it a little more difficult. -- Thanks, Dean E. Weimer http://www.dwiemer.org/ [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
