SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Enthusiast
    Join Date
    Nov 2009
    Posts
    83
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Forms based file permissions?

    I use a home-rolled (mostly files-based) CMS I've been working on for a decade. As a developer I use ssh, bash, perl sed occasionally awk and php to make my sites work. I try to avoid mysql and use it only for forums and shopping carts. Not counting LOG files I have all files in my DOCUMENT_ROOT belong to me instead the apache process. I've never been hacked.

    But a growing number of customers want to be able to upload images and short, newsy html fragments. Others want to be able to change the text on any and all pages. To allow editing with a files-based system I have to give file system write permission to the apache process. Which makes me nervous.

    I'd like to figure out a way to make the entire DOCUMENT_ROOT read only in between short-lived editing sessions, and still have the file system belong to me instead of pseudo user apache.apache

    I could see using an https form to invoke some compiled setuid C-code, that runs as me, that does a chmod -R on the document root. But maybe that's a bad idea no matter what. Is there any other way to do this? Or do I have to: chown -R DOCUMENT_ROOT apache.apache? Perhaps that's best. An https form would could chmod the file system just long enough to make edits. And then make it read only again.

    What am I not thinking about?

  2. #2
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,644
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    pitten,

    I had created just such a system for a club where different club officers had write permission over specific pages and that was enforced via login. I'd recommend that you tie your editing permission to a set of logins with specific permissions for specific logins. Be sure to use VERY STRONG passwords (http://strongpasswordgenerator.com), too.

    My real concern over your post is that it would be a serious target for hackers. Once a hacker breaks one of your passwords (unless you implement that page edit login briefly discussed above), he could wreak havoc over your website. Therefore, unless you're quite certain of your protection, I'd recommend that you upload the images and text to a temporary area so you can review and post when you've "cleared" the entries. IMHO, it's best not to share editing of websites unless you're REALLY confident of the other parties' capabilities.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  3. #3
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,623
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    I'm just going to point out you are resorting to writing custom C code messing with deep linux security underpinnings when this is a problem that has been solved in a number of ways without taking those steps.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •