Is it possible to allow just one PHP script to edit a file?
 

I am writing a security app, part of which requires routine modifications to a list of allowed users in a config file.

I have successfully written the script to work with a sample of the config file, and I know that I could make it generally writeable by all PHP scripts by 'chmod'ing and 'chown'ing it to make it writeable by www-data etc.

The problem is, other users will potentially be able to install scripts on the same server, not immediately, but eventually. Consequently, since this file is an important part of our security system, it would be bad if it were generally writeable by any PHP script.

Is there some way to make this one script run as a different user. I would prefer not to save any sensitive info. (passwords etc.) in the source code of the file itself, but at the moment, that's the only way I can think of doing it.

DO you use SELinux? You could probably create a policy to achieve this

Take a look at Apache's suEXEC feature. It allows you to set up virtual hosts to execute CGI programs as different users, so you could have one account to run your administrative stuff and another for your users.

The easiest way is to use simple file permissions and make the file owned by a different user (or group) which only that particular program has access to. Other users/groups won't be able to access/modify it.

That looks like just what I'm looking for.

Thanks very much, and thanks to everyone else who posted.