Re: [wdvltalk] permissions help

Thu, 06 Oct 2005 03:09:31 -0700 

Patrick,
The php scripts run as "www" on the webserver, but the directories are owned by "steve" and I believe that group is "wheel". I don't really have access to be able to change all the file owners. The problem is that I need "www" to have "write" permission, which means that the whole web can do so as well. I have noticed that this same issue is present in popular opensource applications, like osCommerce, which is actually where I had the problem. Their images file needs "write" permission to receive new product images when you upload them. Someone installed a shell program in it!! 


I have been advised that I may have to run php as a cgi in order to 
protect the directories...


thanks


On Oct 5, 2005, at 9:38 PM, Patrick G. wrote:


Hello steve,

Wednesday, October 5, 2005, 9:24:54 AM, you wrote:

sm> Hi all.


sm> I have several websites that have php upload scripts to allow a 
client
sm> to update photos on their sites. I upload the images, then copy 
them to
sm> appropriate directories from where they are served. I seem to have 
to

sm> set the permissions on these directories to 777 in order to get the

sm> images copies into them, but this exposes them to the outside 
world and
sm> creates a security problem. I have tried changing permissions to 
766,

sm> but the uploads don't work.


sm> I sure could use some guidance on what permissions to use, or how 
to

sm> get this secure and working.

Just a couple of quick thoughts?

What(who) are owner and group? Does group match who the web server
runs as?

HTH --
Patrick G.




____ • The WDVL Discussion List from WDVL.COM • ____
To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or
use the web interface http://e-newsletters.internet.com/discussionlists.html/
      Send Your Posts To: wdvltalk@lists.wdvl.com
To change subscription settings, add a password or view the web interface:
http://intm-dl.sparklist.com/read/?forum=wdvltalk

________________  http://www.wdvl.com  _______________________

You are currently subscribed to wdvltalk as: archive@jab.org
To unsubscribe send a blank email to [EMAIL PROTECTED]
To unsubscribe via postal mail, please contact us at:
Jupitermedia Corp.
Attn: Discussion List Management
475 Park Avenue South
New York, NY 10016

Please include the email address which you have been contacted with.






















					Reply via email to