File Permissions

[mentalist]

Hi,

 

I'm no too clear on what permissions I should apply to different files within my site.

 

My two main concerns are:

 

1) .htaccess, I have a function which rewrites part of this file at certain times from admin. However I don't seem to be able to set the permissions of the file from a php context. But it sems I need to have it set at 'others writeable' for it to be able to be written to.

 

2) Similar to above. I have two config files which can get rewritten at times by admin. These files are actually php files which just get included, and once again how do I secure them?

[jackpf]

When you say admins rewrite them, what, do mean by ftp? Or throught an interface on your site?

 

The only time you'll ever need to change file permissions is if you want it to be writeable or readable over HTTP. If you're editing these files over FTP, there's no need to chmod them.

[mentalist]

Yes through an admin interface (its a bit of a cms), and yes over http.

 

I've not been on windows for so long I don't even know if it'd be an issue on there?

 

Basically when a module is installed or deleted it has the ability to use it's own mod_rewrite commands. Also an install feature can alter the RewriteBase.

 

The config files hold common used variables such as slogan, links, email, etc. I'm doing it this way because then it's more like a cache and less overhead on the db.

[jackpf]

Hmm...I don't really know about windows file permissions. And also, would it be much more hassle to just have one writeable file and include it? That way, if you do happen to get hacked, they can only write to this one file. They could still wreak havock lol, but I guess it'd be a tad better.

[mentalist]

Can't see that it'd make any difference.

But this is why I want to protect them and prevent the issue!

[jackpf]

Why don't you just store the updated stuff in a database?

That way everyone can write to it, and it's pretty safe.

[mentalist]

i'm trying to cut down on database access.

 

But that won't work when concerning the .htaccess file.

[jackpf]

Yeah...

Idk, having your htaccess file world writeable does pose a bit of a security risk. Can you not just store the updates in like...a "to do" file and then update the htaccess file manually every so often?

[mentalist]

Not really the solution that i'm looking for!

[jackpf]

Yeah I know...

Not really sure what else to suggest though.

[premiso]

1) .htaccess, I have a function which rewrites part of this file at certain times from admin. However I don't seem to be able to set the permissions of the file from a php context. But it sems I need to have it set at 'others writeable' for it to be able to be written to.

 

2) Similar to above. I have two config files which can get rewritten at times by admin. These files are actually php files which just get included, and once again how do I secure them?

 

1, .htaccess cannot be overwritten by anyone but the server as in the http.conf for apache it is set to be able to downloaded/read from anyone else. You are safe with that one.

 

2. You can lock the config files and unlock with chmod to write to it then just chmod it back to lock it up.