On Jun 26, 2007, at 3:31 PM, Crayon Shin Chan wrote:
On Wednesday 27 June 2007 03:53, Daniel Brown wrote:
On 6/26/07, Al Rider <alan@xxxxxxxxxxxxx> wrote:
I think most systems have a /tmp directory above the web dir, so
outsiders can't watch it anyhow.
True, but on an unsecured box, this becomes possible, as Apache
will most likely be running universally as `nobody`, `httpd`,
`apache`, or `daemon` for all scripts, including all web-based
scripts
writing to the /tmp directory. This includes session information,
temporary .php files (as Marius requested), et cetera.
How is this different from:
"put them in a specific directory that only the web server has
access to
read, write, and execute"
Most /tmp directories are world rwx. So anyone that can log into the
server through a shell, or any account running on the server, has at
least read access to anything in the /tmp directory. They wouldn't
need to do it through a web script.
At least if the temp directory is rwx web server only, shell logins
and other accoounts are denied access. Any web script can still get
to it though.
Ed
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
