> Don't allow them to run php scripts in the public_html directory I would like to give them the option of using PHP. I will also be making mySQL available to the users. > > What is the point of the web based file manager? To eliminate Local Accounts, and so that they don't have to upload files via ftp or ssh. Plain ftp is very unsecure, and using a secure ftp server can be very confusing to less advanced users. Also if a user wants to edit web pages on their lunch hour, they may be behind a corporate firewall that will not allow them to connect to a secure ftp server, or use ssh, but http is always available. > > So they don't have to use ftp or ssh to uploads files? > > Jim Lucas > ----- Original Message ----- > From: "Dean E. Weimer" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, June 27, 2003 4:04 PM > Subject: [PHP] PHP Web Based File Management and Security > > >> I was starting to make and test some pages for web based file management >> using PHP (4.3.2) with Apache (2.0.46) on a FreeBSD (4.8) Server. >> >> The pages of course would be secured with ssl and use .htaccess files >> combined with mod_auth_pgsql to provide logins. >> >> Apache is running as user nobody, so I had switch the directories and >> files be owned by user nobody, with security of 0744 on files and 0755 >> on >> directories. >> >> Since users will not be given local login access or ftp access, my first >> thought was that this is OK. >> >> But what is to stop user1 from uploading a PHP script that will delete, >> modify files in user2's directory?? >> >> I realize that I could make this somewhat harder buy placing users files >> behind randomly generated directory names. Making it harder for user1 >> to >> guess that user2's files are in a directory named 370261, but this is >> only >> makes it a little more difficult. >> >> >> -- >> Thanks, >> Dean E. Weimer >> http://www.dwiemer.org/ >> [EMAIL PROTECTED] >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
-- Thanks, Dean E. Weimer http://www.dwiemer.org/ [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
