Re: unlink()?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 1:02 AM +0100 6/6/10, Ashley Sheridan wrote:
On Sat, 2010-06-05 at 18:55 -0400, tedd wrote:

Hi gang:

Never-mind.

I didn't change the parent directory permissions to unlink the file -- duh!

tedd

I was just about to mention this! It's one of the bizarre security loopholes in Linux. If you have write permissions to a directory but not a file within it, you can still delete the file. I believe you can change this behaviour with filesystem security mods, but I've not tried that.

Ash

Yes, I've seen where you can delete files within a directory by changing the directory permissions.

It's not often that my scripts create/delete files on the server -- so I'm not up on it as much as I probably should be.

However to me, it seems overly cautious to require scripts -- that are already running on the server -- to have the authority (ftp id and password) to create/delete files. After all, the scripts would not be there if the person who placed them there didn't have authority to create and delete files. So, I have to wonder under what scenario would evil scripts be found/run on the server?

For example, if anyone was going to create an evil script and place it on the server, they must have the authority to do that. And if they had that authority, then they could just as easily add that to their script and side-step this requirement, right? So, what's the purpose?

Cheers,

tedd

--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux