If I write a script that I want others to be able to put on their servers, what is the best recommendation for chmodding the directory it is in?
The script needs to be able to create subdirectories, create and modify files, and delete them. This only needs to occur in the directory the script is sitting in. What I'm struggling to understand is who exactly would be doing this. The "apache" user, "www" or the actual human user who owns the server? I've read that the apache user is in the "everyone" group and so therefore I'm assuming the directory this script is in needs to have permissions set to 777. But then I've also read this is probably insecure.
Why is this insecure? Who could possibly have permission to write/delete stuff apart from the server and the human owner of the server?
Finally (the reason this is in the PHP forum), is the PHP engine a separate user? If so, does that mean the PHP user is the one creating/modifying/deleting files, or is this task passed to the apache user?
I had come to understand something from this article, hope it will help you too:
Thanks Raju, that answers my question of "who is Apache?". Since Apache is under the "other" (or "everyone") group, if I want the script to create and delete files and directories, I suppose I'll have to set it to 757.
As far as I know PHP is invoked by Apache and runs under the same user as apache does. Unless SuPHP is installed, in which case PHP will run under the username of the owner of the file it is processing (if the owner of index.php is raffles, it will run under username raffles).
In the case of SuPHP you don't need 777 or 757, but 755 will do (assuming that the directory the file is in has the same owner as the file itself).
As for security implications, HTTP has a DELETE command (like GET and POST) that allows files to be deleted using just HTTP. Though I'm not sure if DELETE is actually implemented / works in most modern web servers. I've never actually heard of any files being deleted using DELETE. Which doesn't mean it never happened