chmod html files to 666 - risks ?

chrisuk, Welcome to WMF.

Chmod to 666 can be dangerous, mainly depending on what the file is. If it is a setup file, then you don't want anyone to be able to run them. Someone could change or delete the files but they would have to have access to your server.

Hi and thanks for welcoming me.

The files are just ordinary html web pages, I am concerned that someone would be able to change the files, i.e delete the content or add their own. I dont want "all your base are belong to us" plastered all over my website.

Would chmod'ing an html file to 666 allow someont to do this easily ?

As long as they could find the file, yes, they could edit it. Try changing the chmod of the directory they are present in to 700. Unix users will be able to see the directory, but will not be able to see inside it.

Something else you might try.. don't edit the html file directly. Instead edit a .txt or .dat file somewhere, then use SSI to include that file into a .shtml file.

Thanks for your advice.

I like the text file idea, although the text file itself would in theory still be open to "attack".

I have considered the following possibility.....

What about a script that allows a user to perform the following actions...

1. login
2. click to allow files in a directory to become "editable" (chmod files to 666)
3. Edit files
4. click to secure files (change them back to read only)

The "edit switch" could be contained in a top frame.

The login would be set on a subfolder and would allow the user to switch on / off the files in their folder for editing. I think this would be easy to do - does anyone know of a script that could do this ?

If anyone can write a script like this, I might be interested in paying for it (if the price is right).

additional....

The script would only be required to process a login and set the file permissions - the editing and saving of the file would be performed by an exsisting script. The process would have to allow for the editor script to do its job and then allow the user to switch the permissions back to read only - this is why I suggested running the permissions script in a top frame - so it is accessable.

Does anyone know what I mean ? - or am I talking crap ?

I suggest you use MySQL instead of text files. It's more secure, faster and easier to use.

TWF, you may have missed a couple of posts, please read above.

I would recommend mySQL as well, but I'm assuming you'd rather fix this than develope new.

If you do use a seperate text file, you might want to keep it outside the web root (so people can't browse for it).

To chmod files with a script, the file will need to be owned by the user apache runs as. OR, you're server will have to have suexec configured.

As far as security goes for flat files... it's not 100%, but IMO, it's often good enough. The only people who could attack the file would be people with a unix account on the same box. If you hide the file in a directory they can't see inside, and/or even nest it a few levels, I think the odds are it's secure enough.