Allow PHP to write to cascade-published folders without compromising security
Our current SFTP transport uses a "cascade" user and the default "022" umask.
We've recently launched a new school-wide calendar, and are starting to implement PHP widgets using the API. We'd like PHP to have write-access to the folders generated by Cascade, so it can create cached calendar data. I've added the PHP run-as user "www-data" to the "cascade" group.
But with the current permissions, files are published with 644 and folders with 755. From what I understand, I can change the umask for the cascade user to "002" if I'd like this behavior to change to 664/775.
I'm a little hesitant to change these default permissions, because it seems like a potential security concern.
I briefly looked into a way to set up a transport with the "www-data" user instead of cascade, but quickly realized setting a password for www-data is a major security issue (if it's even possible).
Do you have any other ideas on how to approach this?
Thanks!
Marc
Comments are currently closed for this discussion. You can start a new one.
2 Posted by mstevens on 24 May, 2012 03:01 PM
We found an alternate solution that doesn't require PHP to have write access to multiple folders. We're storing all calendar cache in a specific folder so we can set the permissions on that folder manually.
mstevens closed this discussion on 24 May, 2012 03:02 PM.