mod_php and world writable files on a VPS
https://stackoverflow.com/questions/10557854
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianВопрос
I have a centos 5.8 VPS which is running mod_php rather than fastcgi which i'm used to on shared hosting, and I've run in to the problem that various bits of php intended to write to files need those files to be world writable. The files that are written are like the database for the website, and the rss xml. This isn't secure, is it? What should I do to make it secure?
Решение
Who has access to this machine? In other words, who is "world" in this scenario? If it is only you, then you don't have anything to worry about, do you?
However, if this system is shared with other people, do you trust all of the admins? If you don't, there's very little you can do to protect your files.
If it is other non-admin users on the system that you are worried about, then you do not want to make your database world-writable. If you cannot write to those files, then the process writing to them (mysql, apache, etc) is running as the wrong user. Preferably, you'd want your files to be owned by the same user as those processes are running under - but only if you can trust that user! If you can't, then you're probaby straight out of luck.
Другие советы
Is this "database" files plain-text or in tags? If they are plain-text, anyone can read them by just pointing to them. This is information exposure at least.
I don't know the code and the design of the application, but in same cases could cause other problems.
