Permissions & File Editing In PHP

[jj20051]

I'm attempting to create a file manager in php for a "free webhosting company," however before I begin I was wondering what you guys would recommend as far as security and permissions settings. I would like to make sure that no one user can edit another user's files (even with their own scripts) and I'd like to know exactly what I'll need to do to make sure only my script can access all of the files in the user directories.

 

As an example: I want to make sure my script can edit files on user accounts only if they are logged in...

 

I'm not exactly sure how to prevent users from accessing files that aren't theirs with their own php scripts.

 

I was looking at: http://forums.mydigitallife.info/threads/23790-Apache-Restrict-Folder-Access but I'm not sure if that will work, if it would then I'll just place that in the directory between the user's folders

[gizmola]

AFAIK, the way to handle this is with the setup and configuration of apache and php so that it uses fastcgi + suexec.  The thing that allows people to read each other's files is when you're using mod_php and the apache process has to have access to everyone's file systems.  You need a configuration where every user is running as their OS user, in their home directory. 

 

There is a long discussion of this here, and a bit of googling on php fastcgi suexec will provide you a lot more to read about.

 

Good start ->  http://forum.linode.com/viewtopic.php?t=2982