[PLUG] apache and PHP and creating files on the host

[Carlos Konstanski]

> I since found that I can create files if I make the directory in which
> the files will reside writeable by www-data which is apache's group. Is
> this an acceptable thing to do?

Sure it is.  Think of all the websites that allow file uploads.
Consider the following code, which is a very common PHP recipe.  When
you upload a file using PHP, it first loads the file into /tmp, and
names it something odd and random.  This code moves it from there into
the directory of your choice and renames it to the original name:

     $filename = $_FILES["filename"]["name"];
     $uploadPath = getcwd() . "/../images/uploads/" . $filename;
     move_uploaded_file($_FILES["filename"]["tmp_name"], $uploadPath);
     chmod($uploadPath, 0666);

Just make sure you never allow both uploads and execution to occur in
the same directory!

> Too much invested to leave hp for erl ... but are you saying that what I
> want to do more easily handled by Perl?

PHP is nice because you do not have to turn on ExecCGI to run a PHP
file from apache.  Perl does not allow you this measure of safety,
unless FastCGI addresses this (never used it myself).

There is a danger associated with putting any executable file in an
apache DocumentRoot directory.  If something happens to apache which
causes it to not recognize the file as an executable, it will serve
the file as text.  Then the hacker can get the source code and study
it for security holes.  For this reason, you may want to put the
executable in a directory out of apache's reach, and use a one-line
launcher script to call it.  Sure, the launcher script will tell the
hacker exactly where the executable lives on your hard drive, but he
can only get to it if he gains a shell on your server.  Once that
happens, the game is over anyway.

Carlos Konstanski