I have a little php/MySQL script running that edits my .htaccess file, so my .htaccess has to have write permissions (chmod 666). What are the security issues with doing this?

My htaccess is located in my account root folder ( / ), and not my web root ( /public_html ).

Thanks in advance.

If you run PHP as nobody or the Apache user (as mod_php) giving write permissions is a potential vunerability. If you use open_basedir it reduces the risk.

apache blocks accessing /.htaccess files.

but local users might be able to read that file by cat ~login/path/to/.htaccess and even writing to it

i'd suggest chmoding it to 660 and changing the group to nobody so only apache can write to it.

although its not possible to change ownership to nobody except by a script runs under nobody user.

Thanks for the responses Trel, and Bashar.

I'm not sure what Apache runs under. I'd have to ask my host. I also dont think anyone has shell access to the server, so me changing groups is not possible.

So, having the file in the location I'm in makes it safe from the "web", but it could be read by somebody locally?

Read up on the system, shell_exec, etcetera functions of PHP. ;)

Thankfully, my host has those disabled... Or the last that I heard he did. ;)