NYCPHP Meetup

NYPHP.org

[nycphp-talk] Php file owner, group and permissions

Michael Hernandez sequethin at gmail.com
Tue Oct 16 15:11:57 EDT 2007 

On Oct 16, 2007, at 2:53 PM, Cliff Hirsch wrote:

> >I'd say it really depends
> You’re making me think here!
>>
>>  (you must have seen that one coming haha). If your web  
>> application needs to write to files then those files need to be  
>> writable to someone, and it's better imho to be writable by a  
>> specific user than "the world". In that case having the files  
>> owned by the user that php will run as is usually safe.  
>> Alternatively you can use group writable permissions. If you don't  
>> have to write to the file system the owner of the files is not so  
>> important so long as the files that you want the world to read are  
>> world readable.
>>
>> My .02
>>
>> --Mike H
>> I guess I have to see how apache/php is running — I’m guess as  
>> “nobody”
> _______________________________________________

well if apache is running as nobody, php is running as nobody (most  
likely) and that's a case where I'd say you might want to reconfigure  
things so that apache/php run as a different user. Most of the time  
when I've seen nobody, there are lots of daemons running as nobody  
and it might not be a good idea to have so much running as nobody (in  
case someone manages to hijack something else that's running as  
nobody). Creating a user like www might work, but as you know it all  
depends. Also, keep in mind that if you chown stuff to a user that is  
not a login user and you have shell users that need to edit those  
files you will run into a problem (but that's where group perms  
really do come in handy).

My shared host chowns files that they want me to be able to edit to  
my shell user, with the group being a special group they have created  
for process segregation. For files they don't want me to edit (some  
special log files mostly), they chown those files to the segregated  
"apache user". On the servers at my office anyone who needs to edit  
files is also trusted with sudo rights (very few of us) so we can  
edit any file on the system regardless of who owns the file. If you  
are the only user you might not need to worry about that as much but  
(last time I promise...) it depends ;)

Again it's really only a problem if your PHP has to write to files on  
the system and not strictly to some mysql db, for example. As long as  
the php interpreter and apache (and of course, the world, that is -  
web browsers) can see the files you should be alright.

Hope it helps!

--Mike H
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20071016/b9a08f9a/attachment.html>

More information about the talk mailing list