[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-developers] PHP and creating a file
- Subject: Re: [cobalt-developers] PHP and creating a file
- From: Keith Davis <cache@xxxxxxxxxx>
- Date: Thu Apr 12 14:28:01 2001
- Organization: Digital Odyssey Web Development
- List-id: Discussion Forum for developers on Cobalt Networks products <cobalt-developers.list.cobalt.com>
P Lindsey wrote:
> Im having a problem creating a file in php. when i try to create it it says
> permission denied. Is it a security risk to create a directory and chmod it
> to 777 and house about 600 scripts in there? I have to install a lot of
> scripts automatically and i so i need to create files and copy them but into
> a secure environment. Any help would be appreciated.
Don't know about PHP, but, running a perl cgi in a cgi-bin directory
with 0777 permissions used to be considered unsafe. If I remember right
CGIwrap used to fail to execute such scripts. But not anymore. You can
run a perl script in any 0777 directory and with that script create
files in that directory. If that created file is itself a script, and if
the creating script also set an executable permission for it, then that
script will run too.
In the interest of running a tight ship any script *should* reset the
directory's permission to minimum needed when it is done creating in it.
The same script can always reset it to 0777 if it needs to re-create in
the directory later.
I suggest that you look for the cause of your "permission denied"
elsewhere. What follows applies particularly to perl since I don't use
php, but they're both executables so....
1) Be sure that your *.php itself has executable permissions
2) Are you trying to create the directory with the script? If so then
the directory you are trying to create that directory in might need 0777
permissions.
3) Are you trying to chmod an existing directory with the script and if
so are you sure you are getting the directory permissions changed? For
example, if the directory was created by the server-admin instead of the
site-admin then a script cannot change that directory's permissions.
Even if the script and the directory have the same owner it doesn't
matter unless that common owner is the site-admin. Scripts run as the
site-admin user regardless of which user owns the script. That is a
CGIwrap thing that you don't want to monkey with.
CGIwrap causes some funnies if you are used to working without it. But
here's something to consider about ownership/permissions/security. If
you create the directory with the script you need only give it 0700
permission to read/write/create files within it, 0777 is not necessary,
and the standard 0755 or 0711 will also work. Likewise, if the directory
already exists AND it is owned by the site-admin, you still need only
0700 to be able to read/write/create files within it. The fact that
executables run as the site-admin instead of as http, nobody, fred,
wilma, or whoever can be turned ito a very useful tool sometime after
you take the bandages off from your first encounter with it :)
Hope this is helpful.....
keith