i am running a php+mysql site on a lamp ubuntu cloud server (amazon ec2). i use php sessions. the apache php user is called www-data.
for every session (SID), i need to create a temporary folder which is a subdirectory of www and has the session Id as its name (unpredictable, therefore cannot be pre-created). for example: /var/www/fileStore/s35S10nT3Mp/.
i will later access files in these folders from a javascript (client side) function.
i am working under the assumptions that:
- anything executed (or called) by the php code will run under the user www-data
- client-side javascript cannot access a subdirectory OUTSIDE www (for example: /var/outsideFileStore/s35S10nT3Mp/, where webroot = public_html = /var/www)
i would love to be wrong on one or both of the above, for it would solve my problem with no further ado. in case i am not wrong on either one of my assumptions:
i have a security issue with giving user www-data write permissions (necessary for php to mkdir the new folder) in a subdirectory of www, because that leaves the server and data in these folders too exposed.
i would like to know if a php session can trigger (or call) a server script / process that runs under another user (who would receive write permission in /var/www/fileStore/), not www-data. this process would then create (and garbage collect) these temporary folders.
corollary: in case this cannot be done under apache, would tomcat help (if i ran php under java as opposed to http_server)?
corollary 2: what if i ran a socket connection (from inside php) to a socket server (which i have in c++) and had the socket server (another user, obviously) do the file creation? is this overkill?