开发者

directory write access for admin area

I have a site, with a small admin area. The admin area needs to write to a directory, but dont want to give write access to that directory to the group or for anybody else (for security reasons). How can I change the owner of the directory (and subdirectorie开发者_开发技巧s) to the runing user?


Your PHP program will run with a fixed user id as far as the operating system is concerned. The OS does not know who is accessing the website.

What you need to do is give permission to write files to the user that PHP is running under, and then trust the PHP code to only act on behalf of who it considers to be admin users. The best you can (and should) do on the OS level is to lock down other parts of the filesystem, so that an error in the PHP cannot cause anyone to get to files outside of this admin area.


There's no such thing as impersonation in PHP, so you'll have to live with one OS user performing all actions, whoever is logged in to your site (guest / user / admin).


I'll explain how we manage that on our installations.

We've got two groups - "webmasters" and "uploads". Every web developer is member of both group. Apache is member of "uploads" group only. We have a mask set to 002 and +s flag set on directories.

Our directory permissions look like this:

drwxrwsr-x  3 romans    webmaster  4096 Sep 19 16:56 locale
drwxrwsr-x  2 romans    upload     4096 Sep 23 17:27 logs
-rw-rw-r--  1 romans    webmaster   136 Sep 19 16:56 main.php

This have worked for us amazingly. Permissions are tight and consistent. Any files PHP will create will belong to "upload" and thus be editable by all web-masters. Any other content by web-masters won't be editable by apache.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜