Basically what I’m trying to do is allow a faster PHP mode in my hosting account, from nearlyfreespeech.com…
What they are telling me to do is below… but I have not clue what files I should be changing permissions to… any help would be greatly appreciated.
Thanks!
The rules for writing files in PHP Fast mode (i.e. with safe_mode enabled) are very simple:
1. The permissions of the file (and/or its parent directory, especially when creating the file) must allow the operation.
2. The file being written and the top-level PHP script being called must be owned by the same user, the same group, or both.Corresponding to these rules, there are two main steps to follow to set up successful file writing:
1. Set the parent directory you will be writing files in to group web with 775 permissions.
2. Set the top-level PHP script doing the writing to group web with 644 permissions.By taking these two steps, you will ensure that the destination is writeable and that both the source (the PHP script) and the destination (the file/directory) share the “web” group, thus satisfying both rules. This is the most reliable and secure approach.
The biggest problem people encounter implementing these steps is usually identifying the PHP script that needs to be set to group web. Some people resolve this by simply changing all their PHP scripts to be owned by group web. This approach can work, but requires that more care be paid to file permissions to avoid security issues. We prefer to chgrp only the scripts that actually write files.
It can be counterintuitive that the PHP file that needs to be owned by the web group is the top-level one, not necessarily the one that has the actual file-writing commands. (And, more to the point, often not the one that shows up in a safe_mode-related error message.) If you have access to it, the PHP $_SERVER[‘SCRIPT_FILENAME’] variable can tell you what the top-level script is. If not (for example for a third-party app like Wordpress or Drupal), your site’s access log or error log can usually help you identify it. For popular apps, you can also ask in our forums or check our member wiki for more info on what scripts to chgrp.
We urge people to avoid the urge to both chgrp everything and to set the permissions of everything as group-writeable. (Some apps require/recommend this type of setup in order to allow them to auto-update themselves via the web; doing so trades security for ease of use and is a practice we discourage.) PHP’s security track record is not very good, and our system security is designed primarily to protect sites from each other; it does not (cannot) protect sites from themselves. So while “write everything” may work initially, and it seems “easiest,” sooner or later a flaw will be found in your site’s PHP code or in PHP itself, and if your site is full of group-web writeable files, hackers will make short work of it. Please keep in mind the old adage, “If you don’t have time to do it right, how will you have time to do it over?”
Therefore, the final rule of thumb for writing files in PHP is not to set anything to be both owned by group web and group-writeable unless you don’t mind restoring it from backup after hackers get to it. We hope this encourages you to both be conservative in what you allow PHP to write, and to keep good backups.