> Having write permission on the directory allow to delete a file from
> it, not overwrite it ; if the .htaccess file is 444, it's impossible
> to overwrite it with an uploaded file.
This is incorrect. I'm not nitpicking here, I honestly wasn't sure
myself and had to test it:
boutell# su
Password:
[r...@boutell foo]# pwd
/tmp/foo
[r...@boutell foo]# touch bar
[r...@boutell foo]# chmod 444 bar
[r...@boutell foo]# ls -l bar
-r--r--r-- 1 root root 0 Feb 1 08:38 bar
[r...@boutell foo]# ls -ld .
drwxrwxrwx 2 boutell users 4096 Feb 1 08:38 .
[r...@boutell foo]# su - bryan
[br...@boutell ~]$ cd /tmp/foo
[br...@boutell foo]$ rm bar
rm: remove write-protected regular empty file `bar'? y
[br...@boutell foo]$ ls -l
total 0
> However, I also think Symfony is too loose on permissions to be
> deployed in production as is (I'm not even talking about ini_set and
> memory_limit calls...).
777 is fine in a VM hosting environment ("this is a Linux virtual
machine in which you have root, there are no other clients able to see
any of your files ever, and your web site is the only thing running").
And at current prices it doesn't make any sense to deploy in less than
a VM environment.
--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com
window.punkave.com
--
You received this message because you are subscribed to the Google Groups
"symfony developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en.
