[BlueOnyx:00563] Re: Brian type permissions question..

[Jeff Jones]

This is Marks and Spencer Etoile D'or Premum larger - 5%. But it's my  
first (and last) tonight honest.

I've never really been 100% on Linux permissions so I should probably  
do some research to refresh again - but I'm not afraid to ask perhaps  
'simple' questions! I really appreciate your time to explain the cause  
of this problem in a clear and easy to understand manner - thanks!

Your checkbox idea (I would actually like site admin to be able to do  
this if possible) sounds like just the ticket!

Thanks again for putting up with this newb question - Brian would be  
proud!

(and I hope I haven't started a Brian AKA Michael conspiracy theory!  
Just a bit of fun!)

Cheers,

Jeff

On 18 Feb 2009, at 19:03, Michael Stauber wrote:

> Hi Jeff,
>
>> Wow. You know that is EXACTLY what Brian would have said! And it
>> worked! So now I really am suspicious!
>
> Hehehe. "Barkeeper! I take one of those that Jeff had. Must be good  
> stuff!"
> :o)
>
>> So now my file UIDs are all apache, but from what you say - uploading
>> via FTP (user admin say) is going to replace the UID back to admin  
>> and
>> cause another problem.
>>
>> Are you saying that after FTPing my files up - I'm going to have to
>> manually change each one back to apache?
>
> Yes, that's correct.
>
>> Or (mini Brian-wave) if I upload using the site administrator account
>> - this should be in the site1 group, and therefore should work.
>>
>> Am I right? Or have I just completely exposed to the world my  
>> complete
>> misunderstanding of linux permissions..?
>
> Let me put it this way: Uploading by FTP as siteAdmin or "admin"  
> should always
> work - even in this scenario. Because both of these belong to site1  
> - as you
> said.
>
> However, the problem is: Apache doesn't belong to group "site1". So  
> whenever
> your PHP script tries to overwrite a file that you uploaded by FTP,  
> then that
> script will fail.
>
> Likewise: If you create a folder by FTP and want that PHP script to  
> store
> files in there, then it can't. Because the folder is not owned by UID
> "apache".
>
> Adding user "apache" to all site groups would solve this issue, but  
> it creates
> a hell of a security hole. Because customer X could create a script  
> that reads
> from and writes to everyone elses webspace. The "open_basedir"  
> restrictions
> can typically prevent that kind of malice, but I wouldn't bet the  
> farm on it.
> So that's a big no-go area. Using PHP as mod_cgi would be another  
> alternative,
> but it has other drawbacks.
>
> Hence we may go another route here: Add a checkbox to the GUI where  
> the
> siteAdmin user (or higher)  can toggle all files and folders of the  
> webspace
> back and forth between being owned by siteAdmin and/or Apache.
>
> If done that way you could simply upload something by FTP and then  
> toggle that
> checkbox in the GUI and everything will be chown'ed in a fashion  
> that your PHP
> script is happy.
>
> -- 
> With best regards
>
> Michael Stauber
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx