On Oct 16, 2007, at 2:53 PM, Cliff Hirsch wrote:
>I'd say it really depends
You’re making me think here!
(you must have seen that one coming haha). If your web
application needs to write to files then those files need to be
writable to someone, and it's better imho to be writable by a
specific user than "the world". In that case having the files
owned by the user that php will run as is usually safe.
Alternatively you can use group writable permissions. If you don't
have to write to the file system the owner of the files is not so
important so long as the files that you want the world to read are
world readable.
My .02
--Mike H
I guess I have to see how apache/php is running — I’m guess as
“nobody”
_______________________________________________
well if apache is running as nobody, php is running as nobody (most
likely) and that's a case where I'd say you might want to reconfigure
things so that apache/php run as a different user. Most of the time
when I've seen nobody, there are lots of daemons running as nobody
and it might not be a good idea to have so much running as nobody (in
case someone manages to hijack something else that's running as
nobody). Creating a user like www might work, but as you know it all
depends. Also, keep in mind that if you chown stuff to a user that is
not a login user and you have shell users that need to edit those
files you will run into a problem (but that's where group perms
really do come in handy).
My shared host chowns files that they want me to be able to edit to
my shell user, with the group being a special group they have created
for process segregation. For files they don't want me to edit (some
special log files mostly), they chown those files to the segregated
"apache user". On the servers at my office anyone who needs to edit
files is also trusted with sudo rights (very few of us) so we can
edit any file on the system regardless of who owns the file. If you
are the only user you might not need to worry about that as much but
(last time I promise...) it depends ;)
Again it's really only a problem if your PHP has to write to files on
the system and not strictly to some mysql db, for example. As long as
the php interpreter and apache (and of course, the world, that is -
web browsers) can see the files you should be alright.
Hope it helps!
--Mike H
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
