Re: Minimalist permissions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Richard Lynch wrote: 
Ugo Bellavance wrote:

   If the needed permissions for standard PHP files and directories are
'r' on files and 'r-x' on directories, how can I set my umask so that
files and directories are always created as such?  I looked up 'man
umask' and it seems to treat files and directories the same way.  Maybe
that is impossible, but I logged in via FTP to a server of a web hosting
company, and it implements just this: creates directories as rwxr-xr-x
and files as rw-r--r--.

    Another thing... how should I configure ownership on the files?
root as owner, apache as group and no permissions for others?



Do NOT make root as owner, unless you really really really need to.

If somebody manages to alter the contents of the file, and then manages to
make it executable, you no longer own that computer, they do.

In fact, make the files owned by the apache user is what I would
recommend, unless you really have a hard-core reason not to, PLUS you have
considered all the ramifications.

If files need to be owned by somebody else for some reason, they STILL
should NEVER have to be owned by root -- or else you've got some serious
security issues to consider.

It's better to create a new user, with very limited and specific abilities
to do the minimum they need to do, than to just go using 'root' access for
things.

I don't know what umask does, and I don't know what your FTP host does,
but I do know that you can use 'find' and its '-exec' flag to change
directories and files differently in a cron job if you need to do that. They'll have the wrong permissions for the brief period that they are
created.

Or, when you create the file, you can change its permissions at the time
of creation, which is probably what the FTP program does.

umask is handy, but not the "answer" to every need.

Thanks for your quick and precise reply. I'll investigate more on that and follow your suggestions, which make a lot of sense,

Anyone has another opinion/experience on this?

Regards,

Ugo

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux