directory write access for admin area
I have a site, with a small admin area. The admin area needs to write to a directory, but dont want to give write access to that directory to the group or for anybody else (for security reasons). How can I change the owner of the directory (and subdirectorie开发者_开发技巧s) to the runing user?
Your PHP program will run with a fixed user id as far as the operating system is concerned. The OS does not know who is accessing the website.
What you need to do is give permission to write files to the user that PHP is running under, and then trust the PHP code to only act on behalf of who it considers to be admin users. The best you can (and should) do on the OS level is to lock down other parts of the filesystem, so that an error in the PHP cannot cause anyone to get to files outside of this admin area.
There's no such thing as impersonation in PHP, so you'll have to live with one OS user performing all actions, whoever is logged in to your site (guest / user / admin).
I'll explain how we manage that on our installations.
We've got two groups - "webmasters" and "uploads". Every web developer is member of both group. Apache is member of "uploads" group only. We have a mask set to 002 and +s flag set on directories.
Our directory permissions look like this:
drwxrwsr-x 3 romans webmaster 4096 Sep 19 16:56 locale
drwxrwsr-x 2 romans upload 4096 Sep 23 17:27 logs
-rw-rw-r-- 1 romans webmaster 136 Sep 19 16:56 main.php
This have worked for us amazingly. Permissions are tight and consistent. Any files PHP will create will belong to "upload" and thus be editable by all web-masters. Any other content by web-masters won't be editable by apache.
精彩评论