PHWinfo - Afficher un message - File permissions for a wiki-like site

14/09/2007, 14h06

Adam Baker wrote:
> Hello,
> I'm writing a site where a handful of people will be able to edit
> the content using PHP scripts (FCKeditor). The content is stored as
> individual files in a directory. I'd like to validate the "editors"
> using PHP, , etc.
> The question is what file permissions I need to allow for the
> content to be writable by my PHP script. Do I really need to give
> write permissions to the "other" group. Are all wikis really that
> vulnerable? (yes, I know that's the point, but for restricted wikis,
> for instance...)
>
> Thanks,
> Adam
>

The only one doing the writing will be the Apache user itself. The
system doesn't know or care who is using the editor - that's completely
between Apache and the user.

And beware that unless you implement your own security, any of those
people will be able to edit any of the files.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

14/09/2007, 14h06	#2
Jerry Stuckle Messages: n/a Hébergeur:	Re: File permissions for a wiki-like site Adam Baker wrote: > Hello, > I'm writing a site where a handful of people will be able to edit > the content using PHP scripts (FCKeditor). The content is stored as > individual files in a directory. I'd like to validate the "editors" > using PHP, , etc. > The question is what file permissions I need to allow for the > content to be writable by my PHP script. Do I really need to give > write permissions to the "other" group. Are all wikis really that > vulnerable? (yes, I know that's the point, but for restricted wikis, > for instance...) > > Thanks, > Adam > The only one doing the writing will be the Apache user itself. The system doesn't know or care who is using the editor - that's completely between Apache and the user. And beware that unless you implement your own security, any of those people will be able to edit any of the files. -- ================== Remove the "x" from my email address Jerry Stuckle JDS Computer Training Corp. jstucklex@attglobal.net ==================