At 1:02 AM +0100 6/6/10, Ashley Sheridan wrote:
On Sat, 2010-06-05 at 18:55 -0400, tedd wrote:
I didn't change the parent directory permissions to unlink the file -- duh!
I was just about to mention this! It's one of the bizarre security
loopholes in Linux. If you have write permissions to a directory but
not a file within it, you can still delete the file. I believe you
can change this behaviour with filesystem security mods, but I've
not tried that.
Yes, I've seen where you can delete files within a directory by
changing the directory permissions.
It's not often that my scripts create/delete files on the server --
so I'm not up on it as much as I probably should be.
However to me, it seems overly cautious to require scripts -- that
are already running on the server -- to have the authority (ftp id
and password) to create/delete files. After all, the scripts would
not be there if the person who placed them there didn't have
authority to create and delete files. So, I have to wonder under what
scenario would evil scripts be found/run on the server?
For example, if anyone was going to create an evil script and place
it on the server, they must have the authority to do that. And if
they had that authority, then they could just as easily add that to
their script and side-step this requirement, right? So, what's the
http://sperling.com http://ancientstones.com http://earthstones.com
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php