Right permissions for self-installing application...

[fast4god]

I've just written a new application (a wiki) and I want to make it as self-installing as possible. My server is using suexec.php, and it works great under that, but some beta testers complained it won't install at all on regular apache. It's an ownership/permissions puzzle I'd love some help sorting out.

 

The initial upload looks like this

 

--Main Folder

----Code Folder

------Script 1.php

------Script 2.php

------etc

 

One of the scripts is setup.php. When you run it, it's supposed to create this:

 

--Main Folder

----Code Folder

------Script 1.php

------Script 2.php

------.htpasswd file (new)

----Wiki Folder

------index.php (config file, main url)

------Pages Folder

--------Various wiki pages

------ Uploads Folder

------ Other Misc Folders

 

I need to have maximum security, but all necessary functionality. Can someone suggest the right permissions? I'm guessing the account holder needs to give the main folder 777 permissions initially and then the setup folder needs to chmod the folders and files it creates to a tighter level.

 

Someone also said making the index.php file owned by the webserver (ie created when the browser runs setup.php) is itself a major security risk. Is that true? If so I could have the individual manually create the index file.

 

Finally I'd like to have the admin make as few changes as necessary, so to avoid having to reset the code folder's permission it may be better to put the .htpasswd in the main folder.  Anyway, any input anyone can give would be appreciated!

 

Cheers,

Dan

[steviewdr]

Max security != give good functionality.

 

Are installs done automatic or manually? I.e. does the person have to ftp/copy the php files into place??

 

Is there an upload facility? Could files and data be saved to a database? Do you need write permission to the hard disk after the install is complete?

 

-steve