Don't allow them to run php scripts in the public_html directory What is the point of the web based file manager?
So they don't have to use ftp or ssh to uploads files? Jim Lucas ----- Original Message ----- From: "Dean E. Weimer" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 27, 2003 4:04 PM Subject: [PHP] PHP Web Based File Management and Security > I was starting to make and test some pages for web based file management > using PHP (4.3.2) with Apache (2.0.46) on a FreeBSD (4.8) Server. > > The pages of course would be secured with ssl and use .htaccess files > combined with mod_auth_pgsql to provide logins. > > Apache is running as user nobody, so I had switch the directories and > files be owned by user nobody, with security of 0744 on files and 0755 on > directories. > > Since users will not be given local login access or ftp access, my first > thought was that this is OK. > > But what is to stop user1 from uploading a PHP script that will delete, > modify files in user2's directory?? > > I realize that I could make this somewhat harder buy placing users files > behind randomly generated directory names. Making it harder for user1 to > guess that user2's files are in a directory named 370261, but this is only > makes it a little more difficult. > > > -- > Thanks, > Dean E. Weimer > http://www.dwiemer.org/ > [EMAIL PROTECTED] > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
