Permission Of Dirs And Files In Runtime Directory

knaito · October 24, 2013, 3:04am

Yii framework generate some files in runtime directory.

For example,

state.bin

application.log

gii-1.1.xx/ControllerCode.php

etc.

The permission of these files and dirs may be not controlled.

(Some files can be controlled in main.php. In gii module, newFileMode and newDirMode

fields exist for this purpose.)

These files basically can be deleted by only apache (web) user.

However, it is not convenient because we cannot delete these files by using FTP tools.

Like asset files which are also generated by Yii framework, I think, that the files and dirs

in runtime directory should be deleteable by any account.

Is there any solution?

redguy · October 24, 2013, 10:42am

configure your server to run PHP as specified user (for example use suexec + fastcgi). This way files created by PHP will have this user as owner and you can delete them with ftp client. Allowing everybody to delete (and update in fact) those files is rather security hole…

knaito · October 28, 2013, 8:34am

Thanks, redguy.

Yes, I know that it is a nice idea in which the PHP running user should be identified to the ftp client user.

However, I want to make a freeware using Yii framework.

It’s installation and uninstallation must be easy.

Some people are not familiar with the PHP running user, file owner and file privileges.

I want to prevent them from (basic) troubles.

Indeed, the problem of the security hole is important.

In the production environment, I think the runtime directory must be a hidden local directory

far away from the document root directory.

nineinchnick · October 28, 2013, 3:42pm

Almost every PHP web application that create local files faces this issue. Most open source PHP software that uses an ‘installator’ creates the config file through the http server with it’s permission and that could leave a security hole.

And sadly, most users totally ignore permissions setting them to something like 777 and they never try to learn the proper way. I would say you’re up against a problem that doesn’t have an easy solution. I would try to write a good instructions set and troubleshooting examples/stories.

knaito · October 29, 2013, 5:12am

Thanks, nineinchinick.

Yes, my installer has a security problem as you pointed out.

I change a policy and I will try to write a good documents.