FN-FORUM: Security on files/folders

date posted 17th August 2004 18:04

Evenin' all,

As part of a site, I have an admin script that generates a directory
structure and places php files in it. I'm wondering about the security
implications of this. The files/folders will end up being owned by the
apache user and have read/write permissions on them which is almost as
bad as having world read/write permissions on it I think. Obviously I
could just remove the permissions, but the script needs to maintain
control (ie delete/edit them at a later date).

When I did this kind of thing several years ago (with perl), I could set
the set uid bit on the script in question and get it to run as script
owner, thus all files created ended up being owned by ftp account user.
I cant do this on the host I have at present, I know PHP offers the
posix module, but PHP on this host is in safe mode so set uid is
disabled. I also thought of FTPing into the account via the script and
copying the files across thus setting the file ownership that way, but
again host doesn't have the PHP FTP module enabled.

So my question is, do I really need to secure this (I think I do) ? If
so, any other bright ideas on how to do so?

Cheers

Stephen