Re: Securing php: ezpublish

Mon, 06 Sep 2004 21:40:40 -0700 

Jonas Smedegaard wrote:

Why, you might ask, did I not simply drop it below /var/www as everybody
else? Because my job as package maintainer is not only to "throw
something into the system", but also maintain package upgrades. What
ever I "throw in", I must also maintain. So what I did was to only
provide "source" tarballs that you can throw around yourself, and then
also have to maintain yourself. 15 megabytes of PHP code is not easy to
upgrade sanely. If someone knows a clever way to do it (possible through
Debian packages, so CVS and similar is not an option) please let me know.

A local CVS or SVN repository seems to me a sane way of tracking what tweaks we do so we have some prospect of advancing to a future release.




| The instructions say to configure php with safe_mode off. That doesn't
| excite me very much: I know little about PHP, but it sounds to me like
| "on" is better than "off."
|
| OTOH, "on" does cause problems. I want users to be able to upload stuff,
| and that means that PHP needs to write somewhere.
|
| However, PHP, with safe_mode on, wants the directories PHP scripts
| read/write have the same ownership as the scripts. atm the scripts are
| owned by root and that's fine by me.
|
| What do the experts do? Esp those who use ezpublish.

I am a hacker (I hack around in the code) and a professional (I make -
somewhat - a living on setting up and hosting eZ sites), but not an
expert (I took no classes to gain my knowledge).

For my web hosting, I have websites and webphpsites. Websites are owned
by the web designer and in her own group. Webphpsites are owned by the
webdesigner but in the www-data group. a script scans all webphpsites
and corrects wrong group rights (caused by ftp uploads or similar), and
also changes the owner rights back to the webdesigner (files created
through php is owned by www-data).

It's clumsy, but works for me. 


Sounds moderately sane. Thanks for your reponse, Jonas.


--

Cheers
John

-- spambait
[EMAIL PROTECTED]  [EMAIL PROTECTED]
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to