From: Tim B. <tim...@ya...> - 2005-10-17 19:07:05
Attachments:
setup.sh.php
|
Just in case it is helpful to others, I find that the tasks in setup.sh can be done in PHP on my server (which does not allow shell access); the attached script is what I use after updating my site to the newest CVS version. If someone wants to wrap this code with something like the following, it could be integrated into Tiki as a general solution to solve the no-shell access problem. if (on an OS that requires file-permissions && file permissions not set){ run my setup.sh.php code; } Sincerely, Tim Black |
From: <da...@da...> - 2005-10-17 19:30:19
|
On Mon, Oct 17, 2005 at 12:06:55PM -0700, Tim Black wrote: > Just in case it is helpful to others, I find that the > tasks in setup.sh can be done in PHP on my server > (which does not allow shell access); the attached > script is what I use after updating my site to the > newest CVS version. If someone wants to wrap this > code with something like the following, it could be > integrated into Tiki as a general solution to solve > the no-shell access problem. > > if (on an OS that requires file-permissions && file > permissions not set){ > run my setup.sh.php code; > } > > Sincerely, > Tim Black Hi! There are many combinations of user permissions that Apache can be given. It all depends on the ownership of the files. If your host allows you to setup files in that way, you will have a major security problem, as there is nothing stopping anyway from uploading and executing a malicious code to delete any file. Apache should not be able to write to any file except those directories in setup.sh / fixperms.sh That code certainly wouldnt run on my servers as I have this line in my php.ini: disable_functions=3Dexec, passthru, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, system :) Nice thought tho, but I wouldnt trust that kind of setup. Not just for TikiWiki, but any web application. Damian Parker Damosoft |
From: Flo G. <fl...@bi...> - 2005-10-18 09:21:26
|
I agree with damian, but it could be safely integrated as php chmod() (see http://php.speedbone.de/manual/en/function.chmod.php) calls in tiki-install.php. Flo On Mon, 17 Oct 2005 da...@da... wrote: > On Mon, Oct 17, 2005 at 12:06:55PM -0700, Tim Black wrote: >> Just in case it is helpful to others, I find that the >> tasks in setup.sh can be done in PHP on my server >> (which does not allow shell access); the attached >> script is what I use after updating my site to the >> newest CVS version. If someone wants to wrap this >> code with something like the following, it could be >> integrated into Tiki as a general solution to solve >> the no-shell access problem. >> >> if (on an OS that requires file-permissions && file >> permissions not set){ >> run my setup.sh.php code; >> } >> >> Sincerely, >> Tim Black > > Hi! > > There are many combinations of user permissions that Apache can be > given. It all depends on the ownership of the files. If your host > allows you to setup files in that way, you will have a major security > problem, as there is nothing stopping anyway from uploading and > executing a malicious code to delete any file. > > Apache should not be able to write to any file except those directories > in setup.sh / fixperms.sh > > That code certainly wouldnt run on my servers as I have this line in my > php.ini: > > disable_functions=3Dexec, passthru, proc_close, proc_get_status, > proc_nice, proc_open, proc_terminate, shell_exec, system > > :) > > Nice thought tho, but I wouldnt trust that kind of setup. Not just for > TikiWiki, but any web application. > > > Damian Parker > Damosoft > > > ------------------------------------------------------- > This SF.Net email is sponsored by: > Power Architecture Resource Center: Free content, downloads, discussions, > and more. http://solutions.newsforge.com/ibmarch.tmpl > _______________________________________________ > Tikiwiki-users mailing list > Tik...@li... > https://lists.sourceforge.net/lists/listinfo/tikiwiki-users > |