On Mon, Feb 1, 2010 at 10:08 AM, Florian MAURY <[email protected]> wrote: > > Sorry, you haven't read well my post : I never said you can't delete > it : I said, you can't overwrite it ;)
You're right, my mistake. The .htaccess file would be an effective block as far as it goes. > The thing is it only > protects Apache. I think Symfony should minize its dependency to > Apache. I agree. It makes more sense for Symfony's validators to do a better job of helping developers avoid such mistakes at the PHP level. > Moreover, VM can't be an argument to develop not correctly (in terms > of security) : a VM may "protect" a 777 file or dir against shared- > hosted clients, but it is not protecting at all against intrusion of > the system (via a PHP script or an exploit on an other part of the > server (SSH, Mail server, whatever)). An intruder can the corrupt the > cache, or delete any file in the upload dir from any local user in the > system (not only root) who can access the symfony root. You may rely > on permissions of the parent directories ; i don't. I too would prefer it if Symfony offered a way to configure the permissions and ownership it attempts to set for things that are supposed to be "writable by the website" and things that are meant to be "readable but not writable by the website" rather than making broad assumptions like "777 is the way to go," even if that has to be the default for broad acceptance of Symfony as something that can be installed by relatively inexperienced developers without too much grief. I actually submitted such a patch a long time back. A better version would probably put these settings in properties.ini, the system does need to see them very early. 777 is drastically safer in a VM environment but yes, there could be exploits elsewhere in the OS. -- Tom Boutell P'unk Avenue 215 755 1330 punkave.com window.punkave.com -- You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en.
