File Browser Problems
I'm using a text editor for my custom CMS. I can't seem to get it to work without modifying permissions on my server. Shouldn't this just work without modifying permissions? PHP is able to read and write stuff, and this uses PHP...
http://docs.fckeditor.net/FCKeditor_2.x/Developers_Guide/Server_Side_Integration
http://docs.fckeditor.net/FCKeditor_2.x/Developers_Guide/Server_Side_Integration
ASKER
I spoke with a tech support rep earlier who didn't know what he's talking about, so maybe you can clear it up.
I think the FCK Editor requires that php/apache (user nobody) be assigned write permissions. I asked him to do this on my reseller account. He said this is possible on a dedicated server but not on a reseller account. I told him that previously, on the dedicated server, they set user nobody with read-write permissions so that FCK Editor could work with its integrated file browsing capabilities.
He said that setting chmod to 755 or 777 is the exact same thing as allowing user nobody read/write (doesn't make sense to me). But he also said that setting user nobody with read/write permissions is VERY insecure and would allow any script access to the server. And that because they're using PHPSusex with the shared servers, this isn't possible. Could you please shed some light on this, since this guy just talks in circles?
I think the FCK Editor requires that php/apache (user nobody) be assigned write permissions. I asked him to do this on my reseller account. He said this is possible on a dedicated server but not on a reseller account. I told him that previously, on the dedicated server, they set user nobody with read-write permissions so that FCK Editor could work with its integrated file browsing capabilities.
He said that setting chmod to 755 or 777 is the exact same thing as allowing user nobody read/write (doesn't make sense to me). But he also said that setting user nobody with read/write permissions is VERY insecure and would allow any script access to the server. And that because they're using PHPSusex with the shared servers, this isn't possible. Could you please shed some light on this, since this guy just talks in circles?
ASKER
In case it helps...here's a snippet of what they used to make FCK Editor work on my dedicated server. Is this insecure? Any reason this type of thing couldn't also be done on my reseller account with a shared server setup?
[root@server1 public_html]# ls -al
total 92
drwxrwx--- 17 nobody nobody 4096 Jan 21 11:47 .
drwx--x--x 21 gawiless gawiless 4096 Jan 23 16:44 ..
drwxr-xr-x 2 nobody nobody 4096 May 1 2007 cgi-bin
drwxr-xr-x 2 nobody nobody 4096 May 5 2007 contractors
-rw-r--r-- 1 gawiless gawiless 0 May 4 2007 .htaccess
drwxr-xr-x 3 nobody nobody 4096 Jan 15 13:29 images
drwxr-xr-x 3 nobody nobody 4096 Jan 8 01:01 includes
-rw-r--r-- 1 nobody nobody 6492 May 7 2007 index.php
drwxr-xr-x 14 nobody nobody 4096 Jan 22 09:38 new
drwxr-xr-x 6 nobody nobody 4096 May 5 2007 pdf
drwxr-xr-x 2 nobody nobody 4096 Jan 5 01:01 private
-rw-r--r-- 1 nobody nobody 260 May 4 2007 robots.txt
drwxr-xr-x 2 nobody nobody 4096 Jul 8 2007 Scripts
drwxr-xr-x 9 nobody nobody 4096 Sep 29 01:01 secure
-rw-r--r-- 1 nobody nobody 2829 May 7 2007 sitemap.php
-rw-r--r-- 1 nobody nobody 769 May 7 2007 sitemap.txt
-rw-r--r-- 1 nobody nobody 857 May 4 2007 styles.css
drwxr-xr-x 2 nobody nobody 4096 Jan 8 01:01 Templates
drwxr-xr-x 3 nobody nobody 4096 Jan 8 01:01 uploads
drwxr-xr-x 3 nobody nobody 4096 Jan 21 11:47 userfiles
To be honest, I think that the tech support person was right.
As long as you are required to adjust permissions yourself via chmod 755 and 777, you still maintain some sort of control over which files and folders should be accessible/executable. But as soon as you grant generell permissions to user 'nobody' (who most likely is the owner of the apache process), every malicious script unknowingly started within the apache context by you, a co-admin or maybe even a privileged user, potentially will be able to execute. That is indeed a risk.
All PHP built applications that I have ever installed on my server came with instructions on which permissions to change for them to run. I never considered this a big deal, and I certainly shouldn't want to change it by granting overall permissions to 'nobody'.
Even if this has run fine so far on your dedicated server, it seems to me to be more vulnerable to possible exploits.
As long as you are required to adjust permissions yourself via chmod 755 and 777, you still maintain some sort of control over which files and folders should be accessible/executable. But as soon as you grant generell permissions to user 'nobody' (who most likely is the owner of the apache process), every malicious script unknowingly started within the apache context by you, a co-admin or maybe even a privileged user, potentially will be able to execute. That is indeed a risk.
All PHP built applications that I have ever installed on my server came with instructions on which permissions to change for them to run. I never considered this a big deal, and I certainly shouldn't want to change it by granting overall permissions to 'nobody'.
Even if this has run fine so far on your dedicated server, it seems to me to be more vulnerable to possible exploits.
ASKER
Well, I looked into a different text editor -- TinyMCE. But it seems it needs to do the same thing.
I'm sorry for my ignorance. But here is what it says:
Setting write access
You need to make sure that the specified filesystem.rootpath is writable by PHP and Apache, this can normally be done using a FTP client or a SSH shell. Remember if you are using safe mode the user and group must also match not only the access rights.
======
So if apache is user nobody...then how do they, FCK Editor, and ANY editor like that that includes a file browser extension...how can any of them be secure? Tons of folks use them.
I'm sorry for my ignorance. But here is what it says:
Setting write access
You need to make sure that the specified filesystem.rootpath is writable by PHP and Apache, this can normally be done using a FTP client or a SSH shell. Remember if you are using safe mode the user and group must also match not only the access rights.
======
So if apache is user nobody...then how do they, FCK Editor, and ANY editor like that that includes a file browser extension...how can any of them be secure? Tons of folks use them.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks
On top of that, there is the ownership of the apache process.
Modifying permissions is a common procedure here in order to make sure that your application can write and execute in the required way. I should not be bothered about it - unless, of course, I did not get your point.