Hi, Gilles!
I don´t know much about this stuff so I ask a friend of mine to try to explain to me, then he wrote this:
"The problem is, given that this is a shared hosting system, that I have no way to « donate » my files to the PHP user (only root can do that). Consequently, I have to have the mentioned directories with permissions 777 (actually, XX7) to allow the PHP user to access them (I am neither on the same group as the PHP user nor as the other users). Therefore, the fact remains that I give full read-write access to any user of the system.
In fact, even if it were possible to donate the files, other users on the same host would still be able to write into the directories, as the PHP scripts of everyone are run by the same userid (they could create their own scripts to write there). The only way around this, AFAIK, is to use a cgi-bin wrapper to change to the correct user at every evocation, with the associated performance impact (OTOH, this is a smaller problem).
Or am I missing something?"
In other words, I feel that to this host it keeps unsecure, isn´t it? :-/
tks…
On 8/10/07, Gilles Vincent <gilles.vincent@gmail.com> wrote:
The PHP process must have access in read/write mode to /IMG, /tmp,
/local and /config (at the insallation only). (Your directories look
like a 1.8x install of Spip, or an old 1.9).
There is no security pb because only PHP can write something to these
directories (with the FTP user, of course).
Moreover, executable files (like asp or php source files) can’t be
uploaded into the IMG/ dir (because it’s forgiven by Spip)
However, we are all still interested if you find a way to bypass this
protection 
.Gilles
2007/8/9, Tereza Loparic <telopa@gmail.com>:
Hi, all
I’m trying to install spip for the first time in a new host (I do already
manage spips at other hosts, installed by someone else), but this host is
refusing it.
While doing the instalation, the system said to change the directory
attribs. Then I pass the info to the sysadmin (I can´t do it by FTP), and he
said no, because it´s unsecure…
Then I saw that at one other site [at infora.cursys.net], the permissions
are:
drwxr-x— 15 - alternc 4096 Jun 16 2006 .
drwxr-x— 21 - alternc 4096 Aug 15 2006 CACHE
drwxr-x— 234 - alternc 12288 Aug 8 20:28 IMG
drwxr-x— 4 - alternc 4096 Jun 16 2006 dist
drwxr-x— 19 - alternc 4096 Jun 13 2006 ecrire
but at another one [at locaweb.com.br], they are:
drwxr-xr-x 9 hipermeios hipermeios 4096 Apr 27 14:44 .
drwxrwxrwx 20 hipermeios hipermeios 4096 Dec 22 2006 CACHE
drwxrwxrwx 3 hipermeios hipermeios 4096 Aug 8 18:26 IMG
drwxr-xr-x 3 hipermeios hipermeios 4096 Oct 30 2006 dist
drwxrwxrwx 17 hipermeios hipermeios 4096 Nov 27 2006 ecrire
Well, it really seams unsecure to me, and anyone can put stuff into these
directories… but i´m not an admin, I don´t know. Is it really so? How
should the permissions really be?
Thank you in advance, as alwaysssssssss…
tereza
spip-en@rezo.net -
http://listes.rezo.net/mailman/listinfo/spip-en
–
Abelhaweb design
(11) 3726-5577