question2:as to the filefolders, wordpress know their structure. so, we need not set r permission to any filefolder?
Its been a while since I have had anything to do with wordpress but since your a nice girl I will try to help you out:
generally Execute is required for executing scripts such as php or perl, to review your wordpress permissions have a look at
Wordpress Linux file permissions and group
this has a tidy shell script to define correct permissions.
generally everything WWW has to have read permission otherwise its not readable.
Again apache should be fine since the underlying process running the virtual site for a user should be apache - unless you are running some form of strange apache config where the apache user becomes real user for a virtual host (never seen nothing like it - unless we are talking IBM http server or something). So by giving apache user the correct permisions should work.
suppose i am a website viewer,how can i write a file in those folder with file owner is nobody?
This would be actually apache user, me visiting your site hitting your page would trigger apache to server that page and the unerlying user serving that page would be that apache user if it happens to be nobody:nogroup then thats who needs the relevant permissions to write to the folder.
so if you have /var/www/html and it is owned by root and your apache process is running as nobody then nobody can not write into root owned folder.
Related
I have a webapp setup on cPanel/Apache/CentOS
If I set the permission of directories under document root to 755, it works OK. However, if I change any directory permission to 754 (revoke execute permission from OTHER group), the web server refuses to serve any file under the folder, resulting in 404 not found error.
Apache is running as the file owner, so why does it bother to care about the OTHER's execute permission?
Apache is running as the file owner, so why does it bother to care about the OTHER's execute permission?
Are you sure about that? Apache is almost never configured this way, outside of exotic setups like mpm-itk. The web server is usually configured to run as a separate user, often as www-data, httpd, or nobody. These users are not members of your group, so they rely on the "other" privilege mask.
Depending on your site configuration, you might be able to add an access control list to the document root to explicitly allow the web server user, or chgrp your document root to a group shared with the web server to use group privileges instead. (Or you might not. No guarantees.)
I'm working on a php project where a particular feature will have to access the files stored from an external directory:Network Attached Storage(linux). Lets say the path is /volume1/accounts and this is mounted in the linux server where my site is hosted using apache. I will have to retrieve files from that directory. is there a way in PHP to do that? My client says that its already been mounted.
No matter what I do I cant access using these test codes
print "<pre>".print_r(scandir("/volume1/accounts/"), true)."</pre>";
print "<pre>".print_r(scandir("192.168.0.233/volume1/accounts"), true)."</pre>";
print "<pre>".print_r(scandir("192.168.0.233:/volume1/accounts"), true)."</pre>";
How am I suppose to do it? Please help me.
Generally, PHP engine is executed with apache server's privileges. So mounted directory has no permissions or ownership for apache server, It'll be not able to show file lists. Could you try to make directory on /volume1/accounts/ and change ownership and permissions? If apache server is working with apache:apache ownership, please change ownership of directory as same.
I'm working on a project which uses a folder full of flat-file databases. I'd like to make sure these databases are only accessible to scripts running off the server, so I set the folder permissions to 700.
This results in all scripts functioning properly, but a 403 Forbidden whenever I try to access the database folder in my browser. This is good.
However, I'm wondering: am I missing something? Is there any way — short of gaining access to my FTP account – for an outside user to access this folder? Or can I rest easy?
The proper solution is storing them outside the document root. If you cannot do that, but know that Apache will be used, create a .htaccess in the folder with the following contents:
order deny, allow
deny from all
Using filesystem permissions may or may not work depending on the environment - in a perfect setup the webserver would use the same uid as your system user that owns the files. Then your approach wouldn't work.
I asked this question a while back and even though I put up several bounties, I never got much of an answer (see here). More generally, I want to know if there is any concept of security with suPHP? What's to stop anyone from going to
www.example.com/rm-f-r.php
or
www.example.com/return_some_iamge.php
Because those scripts get executed with the privileges of the user, it's essentially guaranteed acesss.
EDIT To elaborate on the above, my problem is a conceptual one. Assume we have a file at /home/user/test.php. Let this file do anything (rm -f -r /, fetch and return a picture, reboot the computer...) If I point my browser to that file (assuming the containing folder is an enabled site under Apache) how do I tell the browser to only let the owner of that file execute it?
EDIT 2: I never explicitly stated this as I assumed suPHP is only used with apache (ie. web browsers), but I am talking about authenticating linux users with only a browser. If we do not authenticate, then anyone technically has access to any script on the server (with web sites this is not a problem as they always have permissions set to 0644, so essentially the whole world can see. PHP files on the other hand, have permissions generally set to 0700)
suPHP has the effect that the PHP runtime executes with the permission of the user that authored the .php file. This means that a PHP program author can only read and write files that he himself owns, or otherwise has access to.
If you put a PHP file on your website you are making it publicly runnable by anyone that comes along to your website - using suPHP does not change this. Without logging in to your site, all web users are effectively anonymous and there is no way to reliably identify an individual. suPHP only controls the local permissions the script will have when it is executed, it does not intend to introduce any form of web user authentication or authorisation.
If you wish to control which users can actually run a script, you need to implement some login functionality and force the users to log in to your site. Then add a check to the sensitive PHP script (or Apache configuration) which will make it abort the request, if the current logged in web user is not one you wish to execute that script.
I have installed joomla on my new account . All the files are showing the FTP username as the owner of files . But when i go to joomla admin section and check directory permissions , it says the few folders are unwritable .
Does it mean that admin page is using different user than FTP username
Its not about ownership, usually its about permissions. If you want to understand it all - there is a quite extensive FAQ
http://forum.joomla.org/viewtopic.php?t=121470
Short one - look into the the test results - note the files and directories to be changed. Depending on the security configuration of your Web server the recommended default permissions is:
755 for directories
644 for files
change them. For Filezilla (a free ftp client - my best guess on what you are using) a good tutrial how change file permissions is :
http://www.codeunit.co.za/2008/07/18/remotely-changing-multiple-linux-file-permissions-with-filezilla/
Since the owner usually has the most rights, changing the ownership of all files to the http-server process owner could also work' but then again - you would have to do this each time and its not possible via ftp.
Yes, if this is hosted on apache, the apache server usually runs as user www-data.