Why are you required to use 666?
As the number alone should give you a reason to think twice about it ;)

Allowing everyone to read and write to a file is never a good idea.
So if you have to use 666 then try the following -

Use a file name that is unlikely to be guessed i.e. if this is some form of admin file then dont call it admin.php...call it asdfjklhj897askj.php or some other random string.

Dont have a link to the file in the source code. Put the link in the php so that no one can see it.

If there is no other way then maybe you could require a password to use the file (apache mod_auth), then send the password to the url using the header function. So long as the contents of that file are not sent directly back all of that internal php processing should not be seen by the browser.

As with everything security wise it all depends on what information you are hiding from people.
A few dodgy pics of friends...not so bad, financial/medical records then this is not really good enough security.

... or

* change the permission to 666:
chmod("/somedir/somefile", 0666);

* make your modifications

* put it back to where it was:
chmod("/somedir/somefile", 0755);

PHP_chimp is right, take clues from numbers :)

Habtom

[edited by: Habtom at 12:23 pm (utc) on Oct. 31, 2007]

as to the second idea,

having a public file execute a root perm file is not a good idea, anything that circumvents permissions is a bad idea

jatar_k, what if you put back the ownership.

chown root file¦directory

The whole idea somehow feels like there is something wrong in it, but I can't understand why changing the permissions is not a good idea.

If you think changing the ownership is not a good idea, what do you suggest?

[edited by: Habtom at 12:21 pm (utc) on Oct. 31, 2007]

the first thing to look at is who owns it right now

can that be changed via ftp? will that help?

can you just create the file using php, there by allowing writing by php files?

can you write to another file, using php, and then have a cron with proper perms append to the other file at some interval

I have no clue what file this might be or why the permissions are wrong but seldom are you locked into a position where you need to get around permissions, you usually just aren't going about it properly.

maybe your host is just a joker? ;)

Hi thanks for the replies. Well I am on a VPS so i have root access to my server so i dont know if the host is playing games. Anyhow the reason why I am having premission problems is because I am building a basic CMS which i am required to open other web pages on my site and write the changes to the php file. I could write to the file if the permissions were set to 666, but it dosn't seem right to have to set my whole website to 666 just to allow another script to access it for editing.
thanks,
ryan

if your CMS creates the files then it should have ownership though and that would make 755 work

Actually, the CMS does not create the files, it is all uploaded via FTP. There is only one file that has this file writing capabilities, and its within a password authenticated section of the admin. (if that helps)

then if you only need to write to that protected file then you could actually do the chown/chmod change and then change it back I guess

Yea thats what i wanted to do but i kept getting this error:

Warning: chmod() [function.chmod]: Operation not permitted in

Thanks,
Ryan

I talked with the hosting provider. They said chmod, chown and chgrp wont work from the php script because it runs as the linux user "nobody", they said if it ran as "root" then it would be able to preform those functions.

Is it possible to (maybe in a .htaccess file) to set the user to "root" everytime that script is run? Or is this another silly security mistake?

Thanks,
Ryan

that would be bad

nobody is pretty standard, hence why I was mentioning that if php creates the file then it can edit it

yea that sounds right. the only problem is when i upload the files via FTP, it gives all the files different users/groups

what if i ran the php file as the same username as the rest of the files instead of root. I would assume at that point you would be able to create/edit/delete files all as that same username?

can this be done via the .htaccess file. forcing 1 single script (the one doing the read/writing) to run as the specific username?