On Friday, April 19, 2002, at 02:44  PM, ROBERT MCPEAK wrote:

> Isn't it quite common to have php creating/editing/deleting files on
> the server?  How is this done in a secure manner?

Running Apache/PHP as 'nobody' isn't really that secure, since there may 
be other services running on the system that run as 'nobody'.  The more 
services that are run under an account, the more open to an attack and 
therefore compromise that account becomes.

Tell your sysadmin that they should create a user called "www" or 
"Apache" or something as a dedicated web server user.  Then, you can 
make this user a member of group "phpusers" or something like that.  
Each trusted user on the system can also be made a member of group 
"phpusers", so that they can make files accessible to the "www" or 
"apache" user without having access to files owned by "www" or "apache".

There's a lot to it -- did you read through that FAQ I sent you?  It's 
not as simple as posting a question to a mailing list -- there are books 
devoted to this very topic.  (Don't feel bad, I asked the same thing 
once on another mailing list, and I'm still learning about the many ways 
a system needs to be secured.)

It's like the Force -- if you try to take the easy route, the Dark side, 
sure, you can get your files on the web quickly and easily.  You can DO 
just about anything.  But you leave yourself open to exploitation by 
other users of the Dark side.

However, if you invest a lot of time and effort (A LOT) into your Jedi 
training, you can continually learn how to secure your system or write 
clean code or normalize your database tables until 900 years old you 

(another Jedi student)


Erik Price
Web Developer Temp
Media Lab, H.H. Brown

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to