impossible for 'other' user to chmod files?

Re: impossible for 'other' user to chmod files?

dan glenn wrote:
[color=blue]
> (PHP 4.3.4) THIS IS DRIVING ME NUTS!
>
> I have a website where I offer members their own bit of webspace to use and
> am coding a very simple 'filemanager' that allows a user to upload, delete,
> and edit text files (members, of course, will not have normal sign-on FTP
> access to the site - I just limit them to their own folder space). I'm
> hitting a real problem with file and directory permissions, in that it seems
> I'm experiencing inconsistancies with my permissions when the user attempts
> to edit these files.
>
> One question I need answered: does the server side some how keep track of
> 'who' originally created a file or folder ('owner', 'group', 'other'), so
> that there would be a difference in later trying to apply a script-coded
> CHMOD or file-open (script-coded would be 'other'-activity) on a file
> originally uploaded by sign-on FTP ('owner'-created)??? In other words, if
> I log on through FTP and upload a file, it has 644 permissions which allow
> writes only for the 'owner' of that file. When someone is running my simple
> script, that someone is seen as 'other' (?) and therefore does not have
> write permissions and will not be allowed to edit the file. However, if
> someone uploads a file through my simple script, again the file gets 644
> permissions but now the 'owner' of the file is not an FTP sign-on user, but
> some 'other' (less exalted) user. Thus when this same someone is then trying
> to edit the file via my simple script, he IS permitted to do so since the 6
> in the same 644 permissions now applies to him, since an 'other' was the
> creator (thus 'owner') of the file. ??????????????? ?? ARGH!!!
>
> I seem to be getting quite maddening inconsistancies in testing this out. If
> any one can tell me some simple facts about how's the best way to do this
> (allow general users of my site to manage their own little webspace), I
> would be forever in their debt...
>
> -dg
>
>[/color]


Yes, the server always knows "who" created a file... a simple 'ls -la'
will tell you. If the user is not the owner or in the group of the
owner and and the user mask is 644, then the user only has READ privs.

If you truly do not understand security concepts and their
ramifications, then I would suggest doing so before you make changes
that would make your site vulnerable.

Michael.

Re: impossible for 'other' user to chmod files?

Michael Austin wrote:

[snip]
[color=blue][color=green]
>> One question I need answered: does the server side some how keep track of
>> 'who' originally created a file or folder ('owner', 'group', 'other'), so
>> that there would be a difference in later trying to apply a script-coded
>> CHMOD or file-open (script-coded would be 'other'-activity) on a file
>> originally uploaded by sign-on FTP ('owner'-created)??? In other words,
>> if I log on through FTP and upload a file, it has 644 permissions which
>> allow writes only for the 'owner' of that file. When someone is running
>> my simple script, that someone is seen as 'other' (?) and therefore does
>> not have write permissions and will not be allowed to edit the file.
>> However, if someone uploads a file through my simple script, again the
>> file gets 644 permissions but now the 'owner' of the file is not an FTP
>> sign-on user, but some 'other' (less exalted) user. Thus when this same
>> someone is then trying to edit the file via my simple script, he IS
>> permitted to do so since the 6 in the same 644 permissions now applies to
>> him, since an 'other' was the creator (thus 'owner') of the file.[/color][/color]

[snip]
[color=blue]
> Yes, the server always knows "who" created a file... a simple 'ls -la'
> will tell you. If the user is not the owner or in the group of the
> owner and and the user mask is 644, then the user only has READ privs.[/color]

[snip]

When you upload a file using a PHP script the file permissions of the file
are those of the user and group the *webserver* runs as. In a lot of
hosting environments this is something like nobody:nobody or apache:apache
and will *not* be the user who has FTP access to that particular site.

When you upload using FTP, the user and group are set as the user who is
logged in to the FTP server.

--
Chris Hope
The Electric Toolbox - http://www.electrictoolbox.com/

Re: impossible for 'other' user to chmod files?


"Chris Hope" <chris@electric toolbox.com> wrote in message
news:1087414165 _15253@216.128. 74.129...[color=blue]
> Michael Austin wrote:
>
> [snip]
>[color=green][color=darkred]
> >> One question I need answered: does the server side some how keep track[/color][/color][/color]
of[color=blue][color=green][color=darkred]
> >> 'who' originally created a file or folder ('owner', 'group', 'other'),[/color][/color][/color]
so[color=blue][color=green][color=darkred]
> >> that there would be a difference in later trying to apply a[/color][/color][/color]
script-coded[color=blue][color=green][color=darkred]
> >> CHMOD or file-open (script-coded would be 'other'-activity) on a file
> >> originally uploaded by sign-on FTP ('owner'-created)??? In other[/color][/color][/color]
words,[color=blue][color=green][color=darkred]
> >> if I log on through FTP and upload a file, it has 644 permissions which
> >> allow writes only for the 'owner' of that file. When someone is running
> >> my simple script, that someone is seen as 'other' (?) and therefore[/color][/color][/color]
does[color=blue][color=green][color=darkred]
> >> not have write permissions and will not be allowed to edit the file.
> >> However, if someone uploads a file through my simple script, again the
> >> file gets 644 permissions but now the 'owner' of the file is not an FTP
> >> sign-on user, but some 'other' (less exalted) user. Thus when this same
> >> someone is then trying to edit the file via my simple script, he IS
> >> permitted to do so since the 6 in the same 644 permissions now applies[/color][/color][/color]
to[color=blue][color=green][color=darkred]
> >> him, since an 'other' was the creator (thus 'owner') of the file.[/color][/color]
>
> [snip]
>[color=green]
> > Yes, the server always knows "who" created a file... a simple 'ls -la'
> > will tell you. If the user is not the owner or in the group of the
> > owner and and the user mask is 644, then the user only has READ privs.[/color]
>
> [snip]
>
> When you upload a file using a PHP script the file permissions of the file
> are those of the user and group the *webserver* runs as. In a lot of
> hosting environments this is something like nobody:nobody or apache:apache
> and will *not* be the user who has FTP access to that particular site.
>
> When you upload using FTP, the user and group are set as the user who is
> logged in to the FTP server.
>
> --
> Chris Hope
> The Electric Toolbox - http://www.electrictoolbox.com/[/color]

OK - I think I get it now.

* When I upload a file with FTP, I get an 'owner'
of 'bsanghan', and a 'group' of 'bsanghan'.
* When I upload a file with PHP, I get an 'owner'
of '80', and a 'group' of 'bsanghan'.

At least, those are the names I can view with SmartFTP, turning on the
viewing of OWNER and GROUP designations in its view pane. My webhost file
manager doesn't even tell me who it sees as the owner of a file
(ipowerweb.com is hosting my site).

My frustration has been that the files I have on the site in these locations
were for the most part uploaded by FTP, thus owner = 'bsanghan'. When users
upload files on their own through my PHP script, those files will have this
'80' name as 'owner', which was causing the 'inconsistancie s' with access
permissions in comparison to the other files.

There isn't any way I can change the 'owner' designation of a file on my
site through FTP, is there?

-dg