At 1:02 AM +0100 6/6/10, Ashley Sheridan wrote:
On Sat, 2010-06-05 at 18:55 -0400, tedd wrote:

Hi gang:


I didn't change the parent directory permissions to unlink the file -- duh!


I was just about to mention this! It's one of the bizarre security loopholes in Linux. If you have write permissions to a directory but not a file within it, you can still delete the file. I believe you can change this behaviour with filesystem security mods, but I've not tried that.


Yes, I've seen where you can delete files within a directory by changing the directory permissions.

It's not often that my scripts create/delete files on the server -- so I'm not up on it as much as I probably should be.

However to me, it seems overly cautious to require scripts -- that are already running on the server -- to have the authority (ftp id and password) to create/delete files. After all, the scripts would not be there if the person who placed them there didn't have authority to create and delete files. So, I have to wonder under what scenario would evil scripts be found/run on the server?

For example, if anyone was going to create an evil script and place it on the server, they must have the authority to do that. And if they had that authority, then they could just as easily add that to their script and side-step this requirement, right? So, what's the purpose?




PHP General Mailing List (
To unsubscribe, visit:

Reply via email to