Niels wrote: > Jennifer Goodie wrote: > >> Should web applications have access to areas on the file system that the >> apache user doesn't? I personally only allow my web applications access >> to certain areas on purpose and set my permissions to accomplish this. >> If >> I need to be a user other than nobody to do something I don't want my >> web >> applications doing it. Of course, I work in an environment where I have >> root access to dedicated servers and a sysadmin that listens to what I >> want, so your experience may be different. I admittedly do not have a >> lot >> of experience getting around the problems caused by shared hosting. > > This particular php application manages users and has to update their > passwords, move their files around and more. And it manages hardware also, > with similar problems. And it has to run several scripts and programs that > controls the network. So I need a secure way of doing those things. > > And yes, I can get root access or make whatever scheme of permissions and > sudos I want -- or maybe something with Linux security modules, but I > don't > really know anything about those. I'm running the program on an intranet > on > a dedicated server, but probably with internet access to the application > some time in the future. > > So my question is: Is sudo the best solution? Don't take the wrong but you're probably not really skilled enough (yet) to do what you want to do... sudo is probably the best solution, but you've got a long row to hoe before you could safely implement all the features you describe... That said, if you mostly trust everybody on your Intranet, and if you're willing to put off the Internet access for a long, indefinite time period, you'd be "okay" if you can prod your users to report oddities and errors, and if you do a TON of security reading between now and the day when you put it live on the Internet. If you don't trust your Intranet users, do this on a development machine that only you can access until you're way way way more comfy with sudo and Linux security in general. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
