Hello,
I'm writing a site where a handful of people will be able to edit
the content using PHP scripts (FCKeditor). The content is stored as
individual files in a directory. I'd like to validate the "editors"
using PHP, , etc.
The question is what file permissions I need to allow for the
content to be writable by my PHP script. Do I really need to give
write permissions to the "other" group. Are all wikis really that
vulnerable? (yes, I know that's the point, but for restricted wikis,
for instance...)

Thanks,
Adam

Adam Baker wrote:
> Hello,
> I'm writing a site where a handful of people will be able to edit
> the content using PHP scripts (FCKeditor). The content is stored as
> individual files in a directory. I'd like to validate the "editors"
> using PHP, , etc.
> The question is what file permissions I need to allow for the
> content to be writable by my PHP script. Do I really need to give
> write permissions to the "other" group. Are all wikis really that
> vulnerable? (yes, I know that's the point, but for restricted wikis,
> for instance...)
>
> Thanks,
> Adam
>

The only one doing the writing will be the Apache user itself. The
system doesn't know or care who is using the editor - that's completely
between Apache and the user.

And beware that unless you implement your own security, any of those
people will be able to edit any of the files.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

On Sep 14, 5:06 am, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> Adam Baker wrote:
> > Hello,
> > I'm writing a site where a handful of people will be able to edit
> > the content using PHP scripts (FCKeditor). The content is stored as
> > individual files in a directory. I'd like to validate the "editors"
> > using PHP, , etc.
> > The question is what file permissions I need to allow for the
> > content to be writable by my PHP script. Do I really need to give
> > write permissions to the "other" group. Are all wikis really that
> > vulnerable? (yes, I know that's the point, but for restricted wikis,
> > for instance...)
>
> > Thanks,
> > Adam
>
> The only one doing the writing will be the Apache user itself. The
> system doesn't know or care who is using the editor - that's completely
> between Apache and the user.
>
> And beware that unless you implement your own security, any of those
> people will be able to edit any of the files.
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstuck...@attglobal.net
> ==================

Thanks for your reply. I am quite ignorant here, so I will see whether
I can even ask a coherent follow-up. So the PHP script is run by the
Apache user. Is that the user that owns Apache, or a special username?

It would seem, then, that I would want to give rwx permissions for the
content files to that user alone (and myself), not do a chmod 777. Is
that right?

Thanks,
Adam

Adam Baker wrote:
> On Sep 14, 5:06 am, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>> Adam Baker wrote:
>>> Hello,
>>> I'm writing a site where a handful of people will be able to edit
>>> the content using PHP scripts (FCKeditor). The content is stored as
>>> individual files in a directory. I'd like to validate the "editors"
>>> using PHP, , etc.
>>> The question is what file permissions I need to allow for the
>>> content to be writable by my PHP script. Do I really need to give
>>> write permissions to the "other" group. Are all wikis really that
>>> vulnerable? (yes, I know that's the point, but for restricted wikis,
>>> for instance...)
>>> Thanks,
>>> Adam
>> The only one doing the writing will be the Apache user itself. The
>> system doesn't know or care who is using the editor - that's completely
>> between Apache and the user.
>>
>> And beware that unless you implement your own security, any of those
>> people will be able to edit any of the files.
>>
>> --
>> ==================
>> Remove the "x" from my email address
>> Jerry Stuckle
>> JDS Computer Training Corp.
>> jstuck...@attglobal.net
>> ==================
>
> Thanks for your reply. I am quite ignorant here, so I will see whether
> I can even ask a coherent follow-up. So the PHP script is run by the
> Apache user. Is that the user that owns Apache, or a special username?
>
> It would seem, then, that I would want to give rwx permissions for the
> content files to that user alone (and myself), not do a chmod 777. Is
> that right?
>
> Thanks,
> Adam
>

Every process in the machine runs under a specific user. That's what
determines the permissions available to the process.

No one "owns" Apache. There is a user (or even more than one) which
owns the files Apache uses to run. And there is a user for the Apache
process. They may or may not be the same.

And chmod to 777 is highly dangerous - it allows anyone on your server
to read and write to your files. It should never be done if you value
those files, IMHO.

Rather, you should set up the users and groups to provide the
appropriate permissions, then set the file permissions accordingly.

I'd suggest you get a book on Linux Administration. It will you
with a lot of different things. And I'm not being sarcastic about the
suggestion; learning some of the basics of Linux administration will
you understand a lot of this better - it can be quite confusing.



--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Jerry Stuckle wrote:
> Adam Baker wrote:
>> On Sep 14, 5:06 am, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>>> Adam Baker wrote:
>>>> Hello,
>>>> I'm writing a site where a handful of people will be able to edit
>>>> the content using PHP scripts (FCKeditor). The content is stored as
>>>> individual files in a directory. I'd like to validate the "editors"
>>>> using PHP, , etc.
>>>> The question is what file permissions I need to allow for the
>>>> content to be writable by my PHP script. Do I really need to give
>>>> write permissions to the "other" group. Are all wikis really that
>>>> vulnerable? (yes, I know that's the point, but for restricted wikis,
>>>> for instance...)
>>>> Thanks,
>>>> Adam
>>> The only one doing the writing will be the Apache user itself. The
>>> system doesn't know or care who is using the editor - that's completely
>>> between Apache and the user.
>>>
>>> And beware that unless you implement your own security, any of those
>>> people will be able to edit any of the files.
>>>
>>> --
>>> ==================
>>> Remove the "x" from my email address
>>> Jerry Stuckle
>>> JDS Computer Training Corp.
>>> jstuck...@attglobal.net
>>> ==================
>>
>> Thanks for your reply. I am quite ignorant here, so I will see whether
>> I can even ask a coherent follow-up. So the PHP script is run by the
>> Apache user. Is that the user that owns Apache, or a special username?
>>
>> It would seem, then, that I would want to give rwx permissions for the
>> content files to that user alone (and myself), not do a chmod 777. Is
>> that right?
>>
>> Thanks,
>> Adam
>>
>
> Every process in the machine runs under a specific user. That's what
> determines the permissions available to the process.
>
> No one "owns" Apache.

Well actually someone DOES. Even if its a dumnmy user like 'www-user' or
somesuch.

Unless you are dumb enough to run apache as root..and even then root
'owns it'

A quick trawl through the PS command if you are oin unix, will show waht
it runs as user wise.

Viz n a system here
~$ ps -eadf | grep apache
root 9197 1 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 9208 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 9209 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 9210 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 9213 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 9214 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 9787 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 11958 9197 0 Sep17 ? 00:00:00 /usr/sbin/apache2 -k start

www-data is the user who 'owns' apache and that 'user' must have read
access to any file apache wants to deliver.


There is a user (or even more than one) which
> owns the files Apache uses to run. And there is a user for the Apache
> process. They may or may not be the same.
>
> And chmod to 777 is highly dangerous - it allows anyone on your server
> to read and write to your files. It should never be done if you value
> those files, IMHO.
>
> Rather, you should set up the users and groups to provide the
> appropriate permissions, then set the file permissions accordingly.
>

755 permissions are safe enough. Full read access and only user write
access.

> I'd suggest you get a book on Linux Administration. It will you
> with a lot of different things. And I'm not being sarcastic about the
> suggestion; learning some of the basics of Linux administration will
> you understand a lot of this better - it can be quite confusing.
>
>
>

The Natural Philosopher wrote:
> Jerry Stuckle wrote:
>> Adam Baker wrote:
>>> On Sep 14, 5:06 am, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>>>> Adam Baker wrote:
>>>>> Hello,
>>>>> I'm writing a site where a handful of people will be able to edit
>>>>> the content using PHP scripts (FCKeditor). The content is stored as
>>>>> individual files in a directory. I'd like to validate the "editors"
>>>>> using PHP, , etc.
>>>>> The question is what file permissions I need to allow for the
>>>>> content to be writable by my PHP script. Do I really need to give
>>>>> write permissions to the "other" group. Are all wikis really that
>>>>> vulnerable? (yes, I know that's the point, but for restricted wikis,
>>>>> for instance...)
>>>>> Thanks,
>>>>> Adam
>>>> The only one doing the writing will be the Apache user itself. The
>>>> system doesn't know or care who is using the editor - that's completely
>>>> between Apache and the user.
>>>>
>>>> And beware that unless you implement your own security, any of those
>>>> people will be able to edit any of the files.
>>>>
>>>> --
>>>> ==================
>>>> Remove the "x" from my email address
>>>> Jerry Stuckle
>>>> JDS Computer Training Corp.
>>>> jstuck...@attglobal.net
>>>> ==================
>>>
>>> Thanks for your reply. I am quite ignorant here, so I will see whether
>>> I can even ask a coherent follow-up. So the PHP script is run by the
>>> Apache user. Is that the user that owns Apache, or a special username?
>>>
>>> It would seem, then, that I would want to give rwx permissions for the
>>> content files to that user alone (and myself), not do a chmod 777. Is
>>> that right?
>>>
>>> Thanks,
>>> Adam
>>>
>>
>> Every process in the machine runs under a specific user. That's what
>> determines the permissions available to the process.
>>
>> No one "owns" Apache.
>
> Well actually someone DOES. Even if its a dumnmy user like 'www-user' or
> somesuch.
>

No, someone owns the Apache Process. You could have 10 different Apache
Processes running, each "owned" by a different user.

> Unless you are dumb enough to run apache as root..and even then root
> 'owns it'
>
> A quick trawl through the PS command if you are oin unix, will show waht
> it runs as user wise.
>
> Viz n a system here
> ~$ ps -eadf | grep apache
> root 9197 1 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
> www-data 9208 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
> www-data 9209 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
> www-data 9210 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
> www-data 9213 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
> www-data 9214 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
> www-data 9787 9197 0 Sep16 ? 00:00:00 /usr/sbin/apache2 -k start
> www-data 11958 9197 0 Sep17 ? 00:00:00 /usr/sbin/apache2 -k start
>
> www-data is the user who 'owns' apache and that 'user' must have read
> access to any file apache wants to deliver.
>

And you are looking at the Process.

>
> There is a user (or even more than one) which
>> owns the files Apache uses to run. And there is a user for the Apache
>> process. They may or may not be the same.
>>
>> And chmod to 777 is highly dangerous - it allows anyone on your server
>> to read and write to your files. It should never be done if you value
>> those files, IMHO.
>>
>> Rather, you should set up the users and groups to provide the
>> appropriate permissions, then set the file permissions accordingly.
>>
>
> 755 permissions are safe enough. Full read access and only user write
> access.
>

Not at all. Would you want someone else to have access to your PHP code
or private files? Say someone who signed onto the machine with SSH or
(shudder) telnet? 755 gives them those rights.

>> I'd suggest you get a book on Linux Administration. It will you
>> with a lot of different things. And I'm not being sarcastic about the
>> suggestion; learning some of the basics of Linux administration will
>> you understand a lot of this better - it can be quite confusing.
>>
>>
>>


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

On Sep 18, 9:49 am, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> Adam Baker wrote:
> > On Sep 14, 5:06 am, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> >> Adam Baker wrote:
> >>> Hello,
> >>> I'm writing a site where a handful of people will be able to edit
> >>> the content using PHP scripts (FCKeditor). The content is stored as
> >>> individual files in a directory. I'd like to validate the "editors"
> >>> using PHP, , etc.
> >>> The question is what file permissions I need to allow for the
> >>> content to be writable by my PHP script. Do I really need to give
> >>> write permissions to the "other" group. Are all wikis really that
> >>> vulnerable? (yes, I know that's the point, but for restricted wikis,
> >>> for instance...)
> >>> Thanks,
> >>> Adam
> >> The only one doing the writing will be the Apache user itself. The
> >> system doesn't know or care who is using the editor - that's completely
> >> between Apache and the user.
>
> >> And beware that unless you implement your own security, any of those
> >> people will be able to edit any of the files.
>
> >> --
> >> ==================
> >> Remove the "x" from my email address
> >> Jerry Stuckle
> >> JDS Computer Training Corp.
> >> jstuck...@attglobal.net
> >> ==================
>
> > Thanks for your reply. I am quite ignorant here, so I will see whether
> > I can even ask a coherent follow-up. So the PHP script is run by the
> > Apache user. Is that the user that owns Apache, or a special username?
>
> > It would seem, then, that I would want to give rwx permissions for the
> > content files to that user alone (and myself), not do a chmod 777. Is
> > that right?
>
> > Thanks,
> > Adam
>
> Every process in the machine runs under a specific user. That's what
> determines the permissions available to the process.
>
> No one "owns" Apache. There is a user (or even more than one) which
> owns the files Apache uses to run. And there is a user for the Apache
> process. They may or may not be the same.
>
> And chmod to 777 is highly dangerous - it allows anyone on your server
> to read and write to your files. It should never be done if you value
> those files, IMHO.
>
> Rather, you should set up the users and groups to provide the
> appropriate permissions, then set the file permissions accordingly.
>
> I'd suggest you get a book on Linux Administration. It will you
> with a lot of different things. And I'm not being sarcastic about the
> suggestion; learning some of the basics of Linux administration will
> you understand a lot of this better - it can be quite confusing.
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstuck...@attglobal.net
> ==================

Is there a good Linux book you could recommend? I don't think I've
ever read anything about Linux that didn't presuppose a LOT of
background knowledge.

Thanks,
Adam

>> > I'm writing a site where a handful of people will be able to edit
>> > the content using PHP scripts (FCKeditor). The content is stored as
>> > individual files in a directory. I'd like to validate the "editors"
>> > using PHP, , etc.
>> > The question is what file permissions I need to allow for the
>> > content to be writable by my PHP script. Do I really need to give
>> > write permissions to the "other" group. Are all wikis really that
>> > vulnerable? (yes, I know that's the point, but for restricted wikis,
>> > for instance...)
>>
>> > Thanks,
>> > Adam
>>
>> The only one doing the writing will be the Apache user itself. The
>> system doesn't know or care who is using the editor - that's completely
>> between Apache and the user.
>>
>> And beware that unless you implement your own security, any of those
>> people will be able to edit any of the files.
>>
>> --
>> ==================
>> Remove the "x" from my email address
>> Jerry Stuckle
>> JDS Computer Training Corp.
>> jstuck...@attglobal.net
>> ==================
>
>Thanks for your reply. I am quite ignorant here, so I will see whether
>I can even ask a coherent follow-up. So the PHP script is run by the
>Apache user. Is that the user that owns Apache, or a special username?

Often it's both.

In a typical PHP application, there are 3 different types of users:

OS users, stored in /etc/passwd.
Database users, perhaps stored in the mysql.user table. Usually a web
application "owns" a database user and uses it on its own behalf,
rather than handing out database users to people who register.
Web users, perhaps stored in some other database table, a text file,
or hardcoded somewhere. The web user is used for things like
identifying posts, and determining who gets to access what private
information.

When a user registers for your web application, you typically give them
a web user and NOT an OS user.

Files are owned by OS users. Anything Apache and PHP can write on
can be written on regardless of the Web user. If you have rules
about what Web user can write on what other Web user's stuff, you
have to write code to enforce it. Web users normally don't have
corresponding OS users.

If you are on a shared host, you may be able to FTP content in using
YOUR OS user but PHP runs as Apache's OS user. The only way to let
both write in the same place is to use mode 777 on directories (unless
they are in a common group, which they usually aren't).


>It would seem, then, that I would want to give rwx permissions for the
>content files to that user alone (and myself), not do a chmod 777. Is
>that right?

Standard UNIX file permissions don't allow a file to have two owners.

You don't normally want to give x permission to any *file* that a
web application can write on (as distinguished from *directory*,
which needs x permission). x permission is for executables and
shell scripts.