Evert|Rooftop Solutions wrote:
Thanx Johannes,
how about making the webserver the owner of the files? Would that be a
good idea?
The problem is that I have a framework deployed at several clients.
Because this are some big clients and demand high security they won't
give me a login to their ftp or consoles.
these 'big' clients are rather missing the point aren't they?
they trust your code but not you???
Understandable, but everytime there's an update I need to mail the files
and they have to install it. Imagine how much time that costs when
there's a problem after the update and they need files again. Very
annoying.
send them big bills for wasting your time.... and make it known how
such bills can be avoided :-)
I consider myself a good php scripter and I will be able to make my
scripts secure, so I need a good reason not to build in the
auto-updater. I can tell the server is a dedicated server for my
project, only has a webserver running (apache).
Argue with me :)
argue with the clients: giving you limited (maybe also time limited)
shell access via SSH (using public key encryption to login in) and logging
all activity is a lot securer, quick _and_ less error-prone than having
you send all your files by email, and definitely more secure than
having a webbased update tool running on their server(s).
grt,
Evert
Johannes Findeisen wrote:
Hello,
It is generally not a good idea to make scripts to everybody
writeable. I think that if you're implementing auto-update features in
PHP scripts they only could be insecure. Okay, you have one more
feature but what if this feature goes out of control? Be really
carefull when writing such applications. Maybe there are nice and
secure solutions which maybe work but you really should set a focus on
security.
More info:
http://www.php.net/manual/en/function.chmod.php
Regards
hanez
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
