Change the visitor's permission group on login

Question

My server wont allow users to write files in php, for as far as I looked this has to do with user permissions. But solving this causes a major security flaw. More information about these solutions can be found here php won't create file and here How do I give PHP write access to a directory?

So my question is instead of changing the servers permissions, is it possible to change the user's permission or permission group only after he logs into the application? In php terms after running the login() function.

I want this because I am developing an application that is an extension on the admin panel of askozia(a call center). Where each user can change and see its own data, without being able to change and see the admin settings and the data of other users. However all this data is not saved in a database but in an XML-file, so users need to be able to write to this XML-file.

Answer 1

You should not change the User (Which would be a bigger security hole). You want some rights for your current user.

For Windows: http://technet.microsoft.com/en-us/library/bb727008.aspx

For Linux http://www.computerhope.com/unix/uchmod.htm

Don't forget: The useraccount for your webserver is not the user in front of the website. You have to care about the "website viewers" permission. But your webserver account, should have all rights he need. If you would change the user, it would be the same.

Answer 2

The permissions that are given on the filesystem are from the user that is running the PHP instance. You cannot change the permission on runtime, but you can start a different application under a different user using sudo on *nix (and runas under Windows) to create, modify and read files.

You can check the 'web user' when it's trying to change a file to prevent malicious modifications when you want to use the standard PHP file operations (but this still requires the PHP instance to have write permissions on the file).