Re: [tlug] Permissions on PHP script to only run locally

[Darren Cook <darren@example.com>]

> I have a PHP script that runs a backup of some site files and emails me
> a tar.gz file once a day. It's activated by cron on the webhosting server
> 
> It works great, but I realized it was a potential security hole. If
> someone knew the exact address of my file, they could easily run a
> script to access it over and over,...

The tgz file is placed under the web directory? If so, creating it under
/home/dave/ is simpler than trying to work out permissions.

Or did you mean the php script file that does the backup is under the
web directory? Again, move it to under your home directory is simplest.

If those are not good solutions, using apache configuration to deny
access to the file or directory would also do it.

Using unix permissions would be my 3rd choice: too fragile in my
experience. (see also:
http://darrendev.blogspot.com/2010/02/when-unix-dot-means-whole-different.html
)

Darren

P.S. I was about to hit send when I wondered if you meant the cron job
runs the backup script using "wget http://127.0.0.1/...."; ? If so, use
apache config to either limit access to clients browsing from 127.0.0.1,
or have a check in the php script to do the same.

-- 
Darren Cook, Software Researcher/Developer

Specializing in intelligent search (in multiple languages), discovery
of context, aiding communication, and basically helping people find
and make good use of their data.

http://dcook.org/gobet/  (Shodan Go Bet - who will win?)
http://dcook.org/mlsn/ (Multilingual open source semantic network)
http://dcook.org/work/ (About me and my work)
http://dcook.org/blogs.html (My blogs and articles)