[BlueOnyx:00559] Re: Brian type permissions question..

Michael Stauber mstauber at blueonyx.it
Wed Feb 18 14:03:41 -05 2009 

Hi Jeff,

> Wow. You know that is EXACTLY what Brian would have said! And it
> worked! So now I really am suspicious!

Hehehe. "Barkeeper! I take one of those that Jeff had. Must be good stuff!" 
:o)

> So now my file UIDs are all apache, but from what you say - uploading
> via FTP (user admin say) is going to replace the UID back to admin and
> cause another problem.
>
> Are you saying that after FTPing my files up - I'm going to have to
> manually change each one back to apache?

Yes, that's correct.

> Or (mini Brian-wave) if I upload using the site administrator account
> - this should be in the site1 group, and therefore should work.
>
> Am I right? Or have I just completely exposed to the world my complete
> misunderstanding of linux permissions..?

Let me put it this way: Uploading by FTP as siteAdmin or "admin" should always 
work - even in this scenario. Because both of these belong to site1 - as you 
said.

However, the problem is: Apache doesn't belong to group "site1". So whenever 
your PHP script tries to overwrite a file that you uploaded by FTP, then that 
script will fail.

Likewise: If you create a folder by FTP and want that PHP script to store 
files in there, then it can't. Because the folder is not owned by UID 
"apache".

Adding user "apache" to all site groups would solve this issue, but it creates 
a hell of a security hole. Because customer X could create a script that reads 
from and writes to everyone elses webspace. The "open_basedir" restrictions 
can typically prevent that kind of malice, but I wouldn't bet the farm on it. 
So that's a big no-go area. Using PHP as mod_cgi would be another alternative, 
but it has other drawbacks.

Hence we may go another route here: Add a checkbox to the GUI where the 
siteAdmin user (or higher)  can toggle all files and folders of the webspace 
back and forth between being owned by siteAdmin and/or Apache. 

If done that way you could simply upload something by FTP and then toggle that 
checkbox in the GUI and everything will be chown'ed in a fashion that your PHP 
script is happy.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list