File permissions

[karpe@bellsouth.net]

Most Linux systems have an option in the user panel to enable CGI-Wrapper  The executable is placed in a directory called BASEPATH/scgi-bin.  When scritps are run from this directory they are run as if the owner of the acccount ran them not "nobody"  So your file permissions can be 644 .  And in this way a hacker can't modify the file but your users have full control.  If you don't have cgi-wrapper you can ask support to enable it.

[admin]

That's a good suggestions and hint.

Thanks!  

[karpe@bellsouth.net]

I hve since found out that your sustem needs to have a php-wrapper and only a few systms have them

[admin]

I hve since found out that your sustem needs to have a php-wrapper and only a few systms have them

Actually, this is not correct.  SnippetMaster does not need to have scgi-bin or php-wrapper to work.

All it needs is the ability to WRITE to the file(s) you wish to edit.

It is your web host that decides if you must use scgi-bin or php-wrapper, etc..  Most web hosts do NOT require this, and if yours does, then I suggest moving to a more standardized host.

Alternatively, you can give WRITE permission to the "world" user for the files you wish to make editable, although this is a security issue..

[akarpe]

I did not mean that you needed php-wrapper to use snippetmaster.  However if your system had it you would not have to give world read permission to your directories or files.  The php-wrapper would act if it was you the ownerr using the file system and not a visitor.

[admin]

Yes, you are correct.  With php-wrapper, you can set permissions of the editable files to 666.

Cheers!  

[BCasey]

My current host has this same problem.  All files are assigned as www rather than the actual owner.  How do I go about getting this configured correctly?  The host said to use a cgiwrapper but I am not familiar with this.  What is the php-wrapper?

[admin]

What is the php-wrapper?

This is something you should ask your host about.  

However, you should be able to "get around" having to use the php wrapper as long as you assign adequate permissions to the files you wish to edit with snippetmaster.  Since they will be "owned" by your user, and you wish to edit them with SnippetMaster (which is running as the "nobody" user), then they will need to have write permissions for the "nobody" or "world" user.

In other words, just make sure you give 777 permissions to the files you wish to edit with snippetmaster and it should work.

[Bcasey]

The files are fine and editable.  The problem is when images or files are uploaded through snippetmaster, they are assigned incorrectly (as "www" rather than the actual account name).  These files are on the server as I can see when I ftp into the server, but they cannot be viewed or used by snippetmaster because the permissions are incorrect.  How do I remedy this?

[admin]

It is normal for the files that are uploaded by SnippetMaster to be owned by the "nobody" or "www" user.  This is because it is the "nobody" or "www" user that is actually running the SnippetMaster application code...

What permissions are assigned to the image files when they are uploaded?  (ie: After uploading, they should have "read" permissions assigned to the "www" or "nobody" user.)

If not, you should speak with your web host about this and ask them to make sure that files uploaded by the "www" or "nobody" user (using a php script) are "world readable".

Let me know how that goes....

[Bcasey]

Either they don't know what they are doing or too afraid.  The sysadmin says that this is a huge security risk.  In actuality, I am wondering if they know how to do this.  Do you have any hints or tips?

[admin]

Well.. it's a security risk IF the programmer doesn't know what they're doing, etc... In reality, the issue is "how far do we go to protect our servers"?

If they go too far, then they cause major inconvenience to many scripts because the servers are now much too "tight" for the script to run properly.  If they don't go far enough.. then the server could be easily compromised by a hacker.

Generally speaking, you can tell how far is "too far" by seeing what the vast majority of other web host providers do.  If 99% of other web hosts don't place such severe restrictions on files uploaded as the "www" or "nobody" user.. then it's very likely that your web host is taking security too far.

Anyway...I'm rambling a bit here.

My suggestion is to find a new web host that better understands the needs of their customers.. yet is still 100% cabable and committed to high degree of security.

Of course, I highly recommend the hosting company where www.snippetmaster.com is hosted:   ET Web Hosting

(See the top of the www.snippetmaster.com page for the link and special offer...)

Other then moving to a different company.. you might be able to modify the snippetmaster code so that it can "work around" this limitation that is being imposed by your hosting company.

Cheers!