Re: [Phpgroupware-users] Help needed: Configuration quick reference chart...

[Izzy Blacklock]

On April 5, 2003 12:43, Dave Hall wrote:
> Adam Hull <address@hidden> wrote:
> > This raises the neverending question of permissions. It has been
> > reccommend numerous
> > times to me that the phpgroupware directory and files not have x
> > permissions.However, I have tested this and it does not work for
> > me. this is true for the tmp
> > directory as well
> >
> > Can anyone shed some light on this?
> >
> > what I reccommend is:
> >
> > phpgroupware 770
>
> owned by user:group - *not* the apache user 664

shouldn't this be 775, or 755 as I've been doing.  Don't you need execute 
permission to enter the dir?

> > header.inc.php 770
>
> owned by user:group - *not* the apache user - perms 664
> or if you want to be able to edit the header, change the perms to
> owned by apache-user:group - perms 664
> then

There are passwords in this file (an issue that should be addressed one day.).  
I don't think making it world readable is a good idea.  I like 400 owned by 
apache myself.  See my other message...

>
> > files 660
>
> owned by apache-user:apache-user - *not* the apache user - perms 660

I'm confused

>
> > tmp 770
>
> /tmp should always be 777

Don't you want the sticky bit set on this to prevent unauthorized 
modifications?  Here's a clip from 
http://www.hackphreak.org/newbie/linuxbxj.txt which seems to do a good job 
explaining the concept (I did a google to find it):

----- 8< -----
Speaking of modes. There's a UNIX "gap" where you can have write access
to a file even if it's only +r for you, but you still have +w access to
the directory it's in. `cat /dir/file > ~/temp ; vi ~/temp ; mv ~/temp 
/dir/file`
is a rough explanation for this. To prevent modification of files unless the
modifier is the file owner, directory owner, or superuser, you use the sticky 
bit.
The sticky bit is an extra, 1000-mode, that you add to a file/directory:

chmod 1755 stuff
------ 8< -------

...Izzy