On Friday, April 19, 2002, at 02:44 PM, ROBERT MCPEAK wrote:
> Isn't it quite common to have php creating/editing/deleting files on
> the server? How is this done in a secure manner?
Running Apache/PHP as 'nobody' isn't really that secure, since there may
be other services running on the system that run as 'nobody'. The more
services that are run under an account, the more open to an attack and
therefore compromise that account becomes.
Tell your sysadmin that they should create a user called "www" or
"Apache" or something as a dedicated web server user. Then, you can
make this user a member of group "phpusers" or something like that.
Each trusted user on the system can also be made a member of group
"phpusers", so that they can make files accessible to the "www" or
"apache" user without having access to files owned by "www" or "apache".
There's a lot to it -- did you read through that FAQ I sent you? It's
not as simple as posting a question to a mailing list -- there are books
devoted to this very topic. (Don't feel bad, I asked the same thing
once on another mailing list, and I'm still learning about the many ways
a system needs to be secured.)
It's like the Force -- if you try to take the easy route, the Dark side,
sure, you can get your files on the web quickly and easily. You can DO
just about anything. But you leave yourself open to exploitation by
other users of the Dark side.
However, if you invest a lot of time and effort (A LOT) into your Jedi
training, you can continually learn how to secure your system or write
clean code or normalize your database tables until 900 years old you
(another Jedi student)
Web Developer Temp
Media Lab, H.H. Brown
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php