PHP file access and directory security

Re: PHP file access and directory security

JW <jwayne@_myreal box_no_spam.com > wrote in message news:<6fk3hv012 0rs6u4s8o6v9sdu 9pkml1lltf@4ax. com>...[color=blue]
> I have a directory protected with .htaccess / .htpasswd. After I'm validated, I
> run a php script which bombs out when trying to write a file to that directory.
> If I chmod 777 on the directory (default was 755) then everything works ok.
>
> So apparently, the script is running under a different security context even
> though it's being run via my http session validated via .htaccess.
>
> 1) Do I have to be concerned about access to a protected directory via .htaccess
> but with wide-open file permissions?
> 2) If yes, are there any alternatives for my PHP routines if I want to maintain
> file-level permissions?
> 3) Is this normal behavior (i.e., how things are supposed to work with
> file-level access) for most ISPs?
>
> Thanks -
>
> jon[/color]

..htaccess configures only http-access to your directory. file-writing
under php works without http, so .htaccess does't apply.

micha

Re: PHP file access and directory security

chotiwallah@web .de (chotiwallah) wrote:
[color=blue]
>JW <jwayne@_myreal box_no_spam.com > wrote in message news:<6fk3hv012 0rs6u4s8o6v9sdu 9pkml1lltf@4ax. com>...[color=green]
>> I have a directory protected with .htaccess / .htpasswd. After I'm validated, I
>> run a php script which bombs out when trying to write a file to that directory.
>> If I chmod 777 on the directory (default was 755) then everything works ok.
>>
>> So apparently, the script is running under a different security context even
>> though it's being run via my http session validated via .htaccess.
>>
>> 1) Do I have to be concerned about access to a protected directory via .htaccess
>> but with wide-open file permissions?
>> 2) If yes, are there any alternatives for my PHP routines if I want to maintain
>> file-level permissions?
>> 3) Is this normal behavior (i.e., how things are supposed to work with
>> file-level access) for most ISPs?
>>
>> Thanks -
>>
>> jon[/color]
>
>.htaccess configures only http-access to your directory. file-writing
>under php works without http, so .htaccess does't apply.[/color]

Yeah, figured that out already. I was wondering whether I had to be concerned
about 777 file permissions if http was protected via .htaccess. I.e., can it be
accessed by other means? And if I do need to be concerned, what are my
alternatives? I neglected to mention that only _I_ (the owner of the directory
and the script) need to write those files. The ISP uses suEXEC and safe_mode is
turned off.

For now, I have 755 on the directory and have only the files that I need to
write set to 777.

jon

--
jwayne@_myrealb ox_no_spam.com