PHP - writing data to a file with 777 permission

views:

363

answers:

PHP - writing data to a file with 777 permission

I have a .TXT file in a web-server with the permission as 777. So what are the changes that others might be able to edit the content of this file? The content is not much - just a number. Someone seems to have been tinkering with this file as the number vanished the other day!

No one else except me has the FTP password. So I was wondering if it's the permission that's giving it away? I'm a client side script programmer and don't have much knowledge about Linux and permissions.

Cheers

+2 A:

It's the last 7 that is the problem. That 3rd 7 means read/write/execute permission for any user on the system. For many hosting providers, 640 or 660 is sufficiently secure for files you need to write.

karoberts 2010-01-24 03:26:42

+3 A:

If it's 777, that means anyone with an account on the system, or any application running on the system (including PHP scripts, even those owned by those other than you) can modify the file in any way.

So, yes, it's possible someone tinkered with the file. Could it perhaps have been a bug in your PHP script that removed the number?

If you can do so, it would be best to reduce the permissions to something more restrictive, like 644. This will still work if the PHP script that accesses the file is executed as the same user that owns the file. Many webhosts are configured this way, so you might be able to do this. 644 means the owner of the file can read and write to it, while others can only read.

Jeff 2010-01-24 03:27:11

I tried that - changed the permission of the .txt file to 644. But my writer.php is no longer able to write to the file! When writer.php is opened from the browser, is it executed as the user? Sorry, but could you give a little more detail how to go about this?

Yeti 2010-01-24 03:56:33

When a web browser accesses writer.php, it's executed as the web server userid (or in some cases, the PHP user, which sometimes is the same as the web server user). Since setting the txt file to 644 prevents your PHP script from working, this indicates that the web server user or the userid used to run the PHP process is different than the user that owns the file. In this case, you would have to work with your web host to figure out a solution to secure your files so that you don't need to set excessive (666/777) permissions.

Jeff 2010-01-24 05:05:17

+1 A:

Anybody can write anything in the file, and the file can be executed by anyone. If you never intend it to be a script, use 666 permission (or more restrictive); if do intend it to be a script, don't allow anyone to modify it (755).

Jonathan Leffler 2010-01-24 03:30:20

It's just a .txt file. I'm storing some information as number inside it. Writer.php writes to this .txt file when users come to this page. When I change the permission to 644 writer.php is no longer able to write to the txt file. Am I doing something wrong?

Yeti 2010-01-24 03:58:36

The person (user ID) trying to write the file is not the owner of the file. You have to decide who should own the file, which group, and what the permissions should be. Remember that if you go with 666 permission, then the data in the file is not secure; anyone can modify the file at any time if they have access to it.

Jonathan Leffler 2010-01-24 04:40:27

ansaurus

tags:

views:

answers:

PHP - writing data to a file with 777 permission

related questions