Not sure of the other security issues, but you can run suPHP which runs PHP as a normal user, which then you can assign tight permissions...

Eric

On Thu, Aug 9, 2012 at 8:48 PM, Lisa Kachold <lisakachold@obnosis.com> wrote:
Postscript:

You can use HTEXPLOIT to bypass any .htaccess permissions:

HTExploit is an open-source tool written in Python that exploits a weakness in the way that htaccess files can be configured to protect a web directory with an authentication process. By using this tool anyone would be able to list the contents of a directory protected this way, bypassing the authentication process.


http://www.blackhat.com/usa/bh-us-12-briefings.html#Soler

On Wed, Aug 8, 2012 at 6:18 PM, Lisa Kachold <lisakachold@obnosis.com> wrote:
Hi Keith,


On Wed, Aug 8, 2012 at 11:50 AM, keith smith <klsmith2020@yahoo.com> wrote:

Hi,

I need to make a directory writable so WordPress can upload images to the directory.  I'm thinking I need to change the group ownership of the directory to Apache with the user remaining the same.  In the past I've change the group and ownership to Apache and was blocked from FTP access after that.

Any security issues I need to be aware of?  Other approaches?

Any advice is much welcomed!!  Thank you for your help!!

------------------------
Keith Smith


Known Issue:  Wordpress asks for a directory location: you set it up as 755 and it won't work.

Wordpress works, of course, from PHP and Apache.  So in order to allow for Apache ftp you would need to make it writable by Apache and other.    If you change the group writable permissions your ftp breaks (so don't do that!):

Here's more on it:  http://wordpress.org/support/topic/advanced-problem-image-upload

http://wordpress.org/support/topic/151290

Solution:

You need to use "chmod 777" for uploads to work.

Security Issues:

This is a security risk of course, since there are many spider scrapers looking for an open permission directory to be able to write, say a fake Phishing Site page for UPS with an email results script. 

Solution: (from Wordpress documentation):

Base image directory

The base image directory must be world writable i.e.: chmod 777
Base image URL

The URL to the base image directory, the web browser needs to be able to see it.

Note that the directory can be protected via .htaccess on apache; check your web server documentation for further information on directory protection. If this directory has to be publicly accessible, remove scripting capabilities for this directory (i.e. disable PHP, Perl, CGI). We only want to store images in this directory and its subdirectories.

On apache you can create the following .htaccess file in your base image directory:

<Files ^(*.jpeg|*.jpg|*.png|*.gif)>
		   order deny allow
		   deny from all
		</Files>


--
(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
Safeway.com
Automation Engineer


















--
(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
Safeway.com
Automation Engineer
















---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss