www.webdeveloper.com
Results 1 to 8 of 8

Thread: Shared Hosting and PHP

  1. #1
    Join Date
    Mar 2008
    Posts
    175

    Shared Hosting and PHP

    Hey, guys. Me again. I'm a little fuzzy on PHPs permissions on a shared hosting environment. It seems like PHP has Owner rights to a file. In my script I can create files and directories with PHP, but the permissions seem to be set such that I can't actually delete them via my FTP client, as I seem to be part of the Group, not the Owner. This forces me to set permission to include Group access.

    For security, I am holding sensitive information in my home directory which, of course, is before the www directory. The files are accessed via a PHP script which parses the URL to determine which file to serve, but the URL itself doesn't actually point to the file. Is this a secure way of doing things? Even if I have to set the files to be accessible by Group?

    I plan to get a dedicated server so the Group thing may not be an issue. In that case, would you recommend I have two servers, one running the database and one that I FTP files to and from? Furthermore, would a dedicated server allow me to have an account with the same Owner access as PHP? Or is that root?

    Thanks! I am just really concerned with using the best security I can.

  2. #2
    Join Date
    Jun 2003
    Location
    here
    Posts
    4,551
    http://uk.php.net/chown

    I'm assuming you could just have PHP change the owner right?
    If you are using PHP please use the [PHP] and [/PHP] forum tags for highlighting...
    The same applies to HTML and the forums [HTML][/HTML] tags.

  3. #3
    Join Date
    Mar 2008
    Posts
    175
    Quote Originally Posted by scragar
    http://uk.php.net/chown

    I'm assuming you could just have PHP change the owner right?
    "Warning: chown() [function.chown]: Operation not permitted in..."

    I am doing this via glob, and I have it printing out each file as it finds it, which it does, but still I get this error for each file.


    I just called Support and they are going to recompile PHP with some addon that makes me the Owner by default or something. I still have some of the security concerns I mentioned before.
    Last edited by auxone; 09-19-2008 at 02:20 PM.

  4. #4
    Join Date
    Jan 2007
    Location
    Wisconsin
    Posts
    2,120
    Is this a secure way of doing things? Even if I have to set the files to be accessible by Group?
    If you're concerned that someone else on the system could access the files because of their group permissions:

    You can set the file group to a group that contains only www (or whatever apache+php runs as on your server). In general, every "user" on the system will have an associated group that contains only itself. So, when you personally create a file, assuming your username is auxone, the user/group should be auxone/auxone. You can easily change the group to www and set its permissions independently.

    See the man pages for chmod and chgrp.

    If you're more concerned about someone accessing your private files with your PHP script:

    Set up a file access list for your script. Just use an array or database table that lists all the content files it's OK for the script to access. And, if the next step isn't obvious, have your script check that list before actually opening anything. Another option is to keep all publicly accessible files in a particular directory and safeguard your script against reading content files from anywhere else.

    If you implement the latter option, make sure to strip leading .'s from filenames. You never know how those clever h4x0rz will sneak a ../ in there.

    I plan to get a dedicated server so the Group thing may not be an issue. In that case, would you recommend I have two servers, one running the database and one that I FTP files to and from?
    It's a matter of expense and necessity. If you don't need two servers for the sake of load-handling or reliability, it's a waste to get them (unless anyone else knows of a reason I'm mistaken).

    Furthermore, would a dedicated server allow me to have an account with the same Owner access as PHP? Or is that root?
    With a dedicated server, you should be granted root access. The system will be yours to destroy. And that user you're thinking of is probably not a PHP user; it's probably www or apache.

    Does any of that make sense? Is it helpful?
    Jon Wire

    thepointless.com | rounded corner generator

    I agree with Apple. Flash is just terrible.

    Use CODE tags!

  5. #5
    Join Date
    Mar 2008
    Posts
    175
    Yeah, that clears a lot up. I really appreciate the time spent. As far as protecting the PHP script itself would a .htaccess file suffice? Or is that not even necessary?

    I also have a settings.ini in the same directory, which of course doesn't have the advantage of being server side like PHP, hence people can just browse right to it. I suppose I will move that to my home directory as well.

    Thanks again. This forum is the best!

  6. #6
    Join Date
    Jan 2007
    Location
    Wisconsin
    Posts
    2,120
    It's best to have private files precede the www/public_html directory. But, with proper .htaccess or httpd.conf/apache.conf rules, you should theoretically be able to put your full identity in your document root without much concern. That is, of course, unless you've got an insecure (or stupid) script sitting in that directory : )

    .htaccess/httpd.conf/apache.conf:
    Protects files from being served directly to a client via Apache.

    file permissions:
    Protects files from local users, including Apache, even via indirect requests.

    Intelligence:
    Protects scripts from being written insecurely or stupidly.

    Good luck securing your system.
    Jon Wire

    thepointless.com | rounded corner generator

    I agree with Apple. Flash is just terrible.

    Use CODE tags!

  7. #7
    Join Date
    Mar 2008
    Posts
    175
    You rule.

  8. #8
    Join Date
    Jan 2007
    Location
    Wisconsin
    Posts
    2,120
    You rule.
    Me?
    Jon Wire

    thepointless.com | rounded corner generator

    I agree with Apple. Flash is just terrible.

    Use CODE tags!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles