[BlueOnyx:00561] Re: Brian type permissions question..

Rodrigo Ordonez Licona rodrigo at xnet.com.mx
Wed Feb 18 14:19:42 -05 2009 

Either that or 
upload and create directories by PHP Script only  
So that the scripts always have access to files and dirs.

This is what we do.

HTH

Rodrigo O
Xnet

-----Original Message-----
From: blueonyx-bounces at blueonyx.it [mailto:blueonyx-bounces at blueonyx.it] On
Behalf Of Michael Stauber
Sent: Miércoles, 18 de Febrero de 2009 12:04
To: BlueOnyx General Mailing List
Subject: [BlueOnyx:00559] Re: Brian type permissions question..

Hi Jeff,

> Wow. You know that is EXACTLY what Brian would have said! And it 
> worked! So now I really am suspicious!

Hehehe. "Barkeeper! I take one of those that Jeff had. Must be good stuff!" 
:o)

> So now my file UIDs are all apache, but from what you say - uploading 
> via FTP (user admin say) is going to replace the UID back to admin and 
> cause another problem.
>
> Are you saying that after FTPing my files up - I'm going to have to 
> manually change each one back to apache?

Yes, that's correct.

> Or (mini Brian-wave) if I upload using the site administrator account
> - this should be in the site1 group, and therefore should work.
>
> Am I right? Or have I just completely exposed to the world my complete 
> misunderstanding of linux permissions..?

Let me put it this way: Uploading by FTP as siteAdmin or "admin" should
always work - even in this scenario. Because both of these belong to site1 -
as you said.

However, the problem is: Apache doesn't belong to group "site1". So whenever
your PHP script tries to overwrite a file that you uploaded by FTP, then
that script will fail.

Likewise: If you create a folder by FTP and want that PHP script to store
files in there, then it can't. Because the folder is not owned by UID
"apache".

Adding user "apache" to all site groups would solve this issue, but it
creates a hell of a security hole. Because customer X could create a script
that reads from and writes to everyone elses webspace. The "open_basedir"
restrictions can typically prevent that kind of malice, but I wouldn't bet
the farm on it. 
So that's a big no-go area. Using PHP as mod_cgi would be another
alternative, but it has other drawbacks.

Hence we may go another route here: Add a checkbox to the GUI where the
siteAdmin user (or higher)  can toggle all files and folders of the webspace
back and forth between being owned by siteAdmin and/or Apache. 

If done that way you could simply upload something by FTP and then toggle
that checkbox in the GUI and everything will be chown'ed in a fashion that
your PHP script is happy.

--
With best regards

Michael Stauber

_______________________________________________
Blueonyx mailing list
Blueonyx at blueonyx.it
http://www.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list