Andy Hultgren wrote:
To whoever was asking this (sorry didn't see the original email):
Is it possible to have a PHP script execute as the user of the domain
instead of the webserver? So when I upload files through a PHP script
they are owned by me and not "wwwrun" or "nobody"?
I was recently exchanging on this list about that very topic. It's in the
archives for this list. Go to www.php.net and set the dropdown menu in the
upper right corner of the page to "general mailing list", then type "File
Upload Security and chmod" into the search field and hit enter. The
conversation is within the first few hits on this search.
The server hosting my site runs with php executing as "me" (the owner of
the
domain), and we covered some of the potential security pitfalls of such a
situation (mainly centered on the fact that this makes any php script far
too powerful). In my situation I couldn't change how the server was set
up;
however, the general consensus was that this situation created a number of
serious security concerns that had to be very carefully addressed. I would
avoid this configuration if you have the choice, based purely on the advice
I received.
Actually you have that the wrong way around.
If php is running as "www" or "nobody" then any files or directories
that a php script creates will be done as the web server user.
That means (potentially) that if domain 'a' creates a file, domain 'b'
can read and write to that file and even delete it.
If php is running as you instead, you can control this with appropriate
chmod commands (at least removing the risk of deleting of files /
updating of files).
A shared user (like "www" or "nobody") is a *much* bigger risk than
separate users.
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
