0

so let' say I have a list of directories and files on the server:

/stuff/
/other_stuff/
  index.php
/important_stuff/
  index.php
  script.php

From within the script.php script, how can I make sure the files within the important_stuff directory (__DIR__) cannot be modified by any other script?

thelolcat
  • 10,995
  • 21
  • 60
  • 102
  • 1
    what's the operating system? Either way - set ACLs or CHMOD the permissions you need. – ethrbunny Dec 30 '12 at 16:23
  • have you tried .htaccess – mamdouh alramadan Dec 30 '12 at 16:23
  • 1
    What are the directory and file permissions? Is there a specific attack you're you trying to anticipate? – Ray Paseur Dec 30 '12 at 16:24
  • ACL = Access Control List. It is a per user or per group permission on a file that may allow the user or group to do things that the main 'chmod' permissions would otherwise prohibit. – Jonathan Leffler Dec 30 '12 at 16:27
  • Possibly answered here http://stackoverflow.com/questions/639666/how-do-i-limit-php-apps-to-their-own-directories-and-their-own-php-ini and here http://stackoverflow.com/questions/2667868/php-apache-deny-folder-access-to-user-but-not-to-script if you use a web server – Hernán Dec 30 '12 at 16:31
  • what is the environment of your server? OS? Server stack? – Netorica Dec 30 '12 at 16:32
  • 2
    If all server scripts are run by the same userid, you can't protect them from each other. – Barmar Dec 30 '12 at 16:47
  • 1
    @Barmar and fans: give a script to the root user (for instance), give the right to execute and read it to everyone, but not the right to write it. How is this script unprotected from scripts run by non-root users? – greg0ire Dec 30 '12 at 16:49
  • @greg0ire Unless script.php is running as root in the first place, it can't "give the script to the root user". Only the superuser can change file ownership on Unix. So this is something the server administrator can set up, by setting directory and file ownership properly, but script.php can't do by itself. – Barmar Dec 30 '12 at 16:54
  • @Barmar: yes, exactly, that's the point! script.php can't change the file ownership of the other script that was given to the root user. Hence, this script is protected from writes. I hope thelolcat has root access to his server. This way, he can make all of is scripts readable by php, and protected from writes. The web server user should only own cache, logs and upload folders – greg0ire Dec 30 '12 at 16:56
  • @greg0ire His question said "from within the script.php script". It can be done by the admin, but not by the script itself. Your answer is the appropriate way to accomplish the end result, though. – Barmar Dec 30 '12 at 17:36
  • @Barmar: Oh yeah, my bad... let's see if he really needs to do it from programmatically then (if yes I'll delete my answer). – greg0ire Dec 30 '12 at 17:39

2 Answers2

2

Let's assume you're using linux and that you are able to change file ownership and permissions.

php is run by the webserver user (often named apache or www-data). Make sure this user has no right to write in your important_stuff folder. This can be achieved by giving this files to another user, but making them readable by members of the www-data (or apache or whatever) group.

greg0ire
  • 22,714
  • 16
  • 72
  • 101
  • For example: user www-data is in groups www-data, www-site1, www-site2, www-siteN. Concrete site1 is in /var/www/site1 and have recursively these permissions: 0640 and owner/group are www-site1:www-site1 – gaRex Dec 30 '12 at 18:09
1

Right answer is about ownership/permissions. Also if you are under linux, then google for "chattr immutable".

But if you want to check if something changed, then use md file function

gaRex
  • 4,144
  • 25
  • 37