security php fopen chmod 777

[skyshine]

Hi

If using php in a cPanel account the only way I can write to a file is to CHMOD as writable to everybody . I would have thought this is a security issue, enabling anyone to write to that file. Can someone please clarify? I have read somwhere that for some reason this is still secure, but I question that.

eg
$fileH = fopen("/home/path/to/file","w");
comes up with
Warning: fopen(/home/path/to/file): failed to open stream: Permission denied in /home/path/to/file on line 2
unless CHMOD xx6 or xx7

Many Thanks
Sky

[sv1]

We have an issue on a server which we upgraded php and after running /scripts/convert2maildir

Warning: fopen(/tmp/horde_32001.log): failed to open stream: Permission denied in /usr/local/cpanel/3rdparty/lib/php/Log/file.php on line 202

Warning: Cannot modify header information - headers already sent by (output started at /usr/local/cpanel/3rdparty/lib/php/Log/file.php:202) in /usr/local/cpanel/base/horde/login.php on line 96

[sh4ka]

first try chmod 755 and if that doesn't work temporary you will have to chmod 777 that file until you resolve the problems, and yeap, it's kind unsure that..

[chirpy]

Quote:

Originally Posted by sv1

We have an issue on a server which we upgraded php and after running /scripts/convert2maildir

Warning: fopen(/tmp/horde_32001.log): failed to open stream: Permission denied in /usr/local/cpanel/3rdparty/lib/php/Log/file.php on line 202

Warning: Cannot modify header information - headers already sent by (output started at /usr/local/cpanel/3rdparty/lib/php/Log/file.php:202) in /usr/local/cpanel/base/horde/login.php on line 96

Just delete the /tmp/horde_32001.log file and it should recreate itself with the correct ownership. Also, do make sure that /tmp is chmod 1777.

Quote:

If using php in a cPanel account the only way I can write to a file is to CHMOD as writable to everybody . I would have thought this is a security issue, enabling anyone to write to that file. Can someone please clarify? I have read somwhere that for some reason this is still secure, but I question that.

Yup, welcome to the crap php security model. Oh wait, it doesn't have one. If you want to avoid that you'd have to rebuild apache with phpsuexec enabled.