Hi, the PHP manual says that there are three separate sets of users
that the chmod funtion recognizes: the owner of the file, the group
that the owner is in, and everyone else. How does the server keep
track of who created the file? I don't see how this could be managed
with cookies or by tracking ip addresses.

Also, how do I create user groups for chmod to recognize?

The project I am working on involves users uploading files to a single
directory on the server. The MySQL database keeps track of who
created which file (based on the file's name and the user's username)
and only allows the users to view files they created. My problem is
that my php script only lists the user's files, but when they are
viewing a file, the user may easily change the url to the name of a
file they are not authorized to view, and then successfully view it.
I have no idea how to secure this system, other than using the chmod
function.

-Karl

dredge wrote:
> Hi, the PHP manual says that there are three separate sets of users
> that the chmod funtion recognizes: the owner of the file, the group
> that the owner is in, and everyone else. How does the server keep
> track of who created the file? I don't see how this could be managed
> with cookies or by tracking ip addresses.

To make this to work you need a file system that supports multiple users as
ext2/ext3/ext4, reiserfs/reiser4, jfs, xfs and many more.

These file systems stores the user id, group id, privileges with other data as
creation time, file name.

If you use a single user file system like the majority of those by microsoft,
they can't store these extra data and chmod will not work.


> Also, how do I create user groups for chmod to recognize?

The system command groupadd, creating a new user you use useradd.


> The project I am working on involves users uploading files to a single
> directory on the server. The MySQL database keeps track of who
> created which file (based on the file's name and the user's username)
> and only allows the users to view files they created. My problem is
> that my php script only lists the user's files, but when they are
> viewing a file, the user may easily change the url to the name of a
> file they are not authorized to view, and then successfully view it.

Don't use direct access to the file, put them in a directory to which the file
server do not have access (you can't type an URL to see the file). Then use a
script that reads the file from the protected location, but it will only list
those files that the user is allowed to read and will display a message that
they don't have authority to see the file, if they would try to see someone
else file.

Good function to use:
http://www.php.net/manual/en/function.passthru.php


> I have no idea how to secure this system, other than using the chmod
> function.

Chmod will require that the user logs in with apache-auth, it will not work if
you use your own made login system. For making it simpler for you and so you
can run it on a microsoft server, I do suggest you put the files in a secure
location and use passthru with a check against the database before you execute
the passthru.


--

//Aho