Running Php As Ftp User...

#1 10-12-2004, 08:50 PM

PHP is running globally as the user "nobody"
...so in theory I can run other peoples scripts from their accounts if I wanted to and this is just a little bit dodgy. There are also some other problems with this setup as outlined below.

It's great that you have openbasedir restrictions to only allow PHP to write to the directory from where it is running, but this will also cause problems when a person wants to manipulate these files using their FTP program. The reason for this is because the files created by the user nobody are owned by this user. The FTP user won't be able to set permissions etc. on these files(incidently file manager can't change the permissions either).

The same goes for files that are uploaded by the FTP user. PHP can't write to these because it doesn't own them. Without telnet, you are stuck with what you've got.

You run CGI with the permissions of the FTP user, why not PHP? It's something to think about.

sonic · #2 10-13-2004, 01:25 AM

Quote:

Originally Posted by Unregistered

The reason for this is because the files created by the user nobody are owned by this user. The FTP user won't be able to set permissions etc. on these files(incidently file manager can't change the permissions either).

The same goes for files that are uploaded by the FTP user. PHP can't write to these because it doesn't own them.

I now realize that this is the answer to my previous thread:
http://forums.hostgator.com/showthread.php?t=1458
The problem arises from the fact that some files are uploaded through a php script, and some uploaded through an ftp client. As described above, they are owned by different users. I get the "permission denied" error, only when I try to overwrite through ftp, files that were uploaded through the php script.

Quote:

Originally Posted by Unregistered

You run CGI with the permissions of the FTP user, why not PHP? It's something to think about.

Can HG please comment on this?

Thanks,
sonic

#3 10-13-2004, 08:49 AM

HG doesn't have a solution. I asked in chat etc already. I do, but it's probably not allowed.

There is a script called telnet.cgi that allows you to run some shell commands. You could use it to 'chown' the files and folders. Do a google for it, and you'll probably find it.

I'm pretty sure that HG will probably say you can't use it, but it is just another CGI script all the same.

I successfully created a symbolic link using it, to allow me to test whether you could run a PHP script from another users account. I could. I had one script in the master account and could access it from the other domain using the link. Pretty nifty, but it seems a little unsafe to me. I'm pretty lucky that I thought to put into account a users domain, and document root with this script.

sonic · #4 10-14-2004, 12:47 AM

Quote:

Originally Posted by Unregistered

There is a script called telnet.cgi that allows you to run some shell commands. You could use it to 'chown' the files and folders.

As I am not familiar with Linux, I want to keep things simple. I am thinking, if I could create an ftp user with userid: nobody, that would solve my problem.
Is that possible? Can someone from HG please respond?

Thanks,
sonic

#5 10-14-2004, 09:53 AM

Nope, that wouldn't work. Don't ask HG, just try it... you'll see it doesn't work.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
php permission denied problem	Daniel Craig	Pre-Sales Questions	9	12-04-2006 08:35 AM
Fantastico Php Suggestions	gameutopia	Pre-Sales Questions	2	08-21-2004 09:59 AM
PHP Sessions Randomly Lose Variables	wisewolfe	Pre-Sales Questions	1	08-21-2004 09:55 AM
PHP timeout question	tomcam	Pre-Sales Questions	1	01-27-2004 03:57 PM