Patrick,
The php scripts run as "www" on the webserver, but the directories are
owned by "steve" and I believe that group is "wheel". I don't really
have access to be able to change all the file owners. The problem is
that I need "www" to have "write" permission, which means that the
whole web can do so as well. I have noticed that this same issue is
present in popular opensource applications, like osCommerce, which is
actually where I had the problem. Their images file needs "write"
permission to receive new product images when you upload them. Someone
installed a shell program in it!!
I have been advised that I may have to run php as a cgi in order to
protect the directories...
thanks
On Oct 5, 2005, at 9:38 PM, Patrick G. wrote:
Hello steve,
Wednesday, October 5, 2005, 9:24:54 AM, you wrote:
sm> Hi all.
sm> I have several websites that have php upload scripts to allow a
client
sm> to update photos on their sites. I upload the images, then copy
them to
sm> appropriate directories from where they are served. I seem to have
to
sm> set the permissions on these directories to 777 in order to get the
sm> images copies into them, but this exposes them to the outside
world and
sm> creates a security problem. I have tried changing permissions to
766,
sm> but the uploads don't work.
sm> I sure could use some guidance on what permissions to use, or how
to
sm> get this secure and working.
Just a couple of quick thoughts?
What(who) are owner and group? Does group match who the web server
runs as?
HTH --
Patrick G.
____ The WDVL Discussion List from WDVL.COM ____
To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or
use the web interface http://e-newsletters.internet.com/discussionlists.html/
Send Your Posts To: wdvltalk@lists.wdvl.com
To change subscription settings, add a password or view the web interface:
http://intm-dl.sparklist.com/read/?forum=wdvltalk
________________ http://www.wdvl.com _______________________
You are currently subscribed to wdvltalk as: archive@jab.org
To unsubscribe send a blank email to [EMAIL PROTECTED]
To unsubscribe via postal mail, please contact us at:
Jupitermedia Corp.
Attn: Discussion List Management
475 Park Avenue South
New York, NY 10016
Please include the email address which you have been contacted with.