On Friday, April 19, 2002, at 02:44 PM, ROBERT MCPEAK wrote:
> Isn't it quite common to have php creating/editing/deleting files on > the server? How is this done in a secure manner? Running Apache/PHP as 'nobody' isn't really that secure, since there may be other services running on the system that run as 'nobody'. The more services that are run under an account, the more open to an attack and therefore compromise that account becomes. Tell your sysadmin that they should create a user called "www" or "Apache" or something as a dedicated web server user. Then, you can make this user a member of group "phpusers" or something like that. Each trusted user on the system can also be made a member of group "phpusers", so that they can make files accessible to the "www" or "apache" user without having access to files owned by "www" or "apache". There's a lot to it -- did you read through that FAQ I sent you? It's not as simple as posting a question to a mailing list -- there are books devoted to this very topic. (Don't feel bad, I asked the same thing once on another mailing list, and I'm still learning about the many ways a system needs to be secured.) It's like the Force -- if you try to take the easy route, the Dark side, sure, you can get your files on the web quickly and easily. You can DO just about anything. But you leave yourself open to exploitation by other users of the Dark side. However, if you invest a lot of time and effort (A LOT) into your Jedi training, you can continually learn how to secure your system or write clean code or normalize your database tables until 900 years old you reach. Erik (another Jedi student) ---- Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
