[SLUG] Ignorance alert: permissions
Stephen O'Neill
soneill84 at yahoo.co.uk
Tue Sep 11 13:57:57 BST 2007
Paul Teasdale wrote:
>So basically the root of the problem may be a bad PHP script.
Our host said "if your php process user owns the file then your script
is to blame. If it's another user that owns the file then someone else's
account was compromised".
Compromised here could just mean that they had a dodgy php script that
offered a way of injecting file system commands from user input.
> Like my shared hosting provider I bet they allow you to login with unsecure
> FTP.
That really bugs me too. Why not use sftp as standard if you're a unix
based host? Bah!
If so then someone may have "sniffed" out your clear text login details
> It's probably very inefficient to do this
But I bet it can be much faster for doing some operations like deleting
folders ... plus has some other annoying things which are missing from
the ftp protocol.
> I needed as solution and that worked. My host has never complained yet.
We're now really hardline on all the permissions we use - 701 and 704
(like I said before, ftp and apache create files as the same user) - and
everytime we upload files via ftp we run a php script to remove excess
baggage.
Steve O
More information about the Scarborough
mailing list