If your web-server is setup to read files with .php extension
through PHP engine (it is I guess)
than no body from outside (using HTTP) can't read content of
original PHP file only the output of that particular script.
The only concern you may have is that somebody else on that server
can read that file.
Eg anybody who can login to server can read all your files with
permission set to read on 'other'
On May 12, 2008, at 11:37 PM, David Jourard wrote:
Bojan Tesanovic wrote:
Heh you are really new to Linux
permissions on linux are set per user/group/other bases
so for most secure set permissions to read only for web-server user
so
chown 'webserveruser' file.php
chmod 400 file.php
make sure you have root access at server so you can change that file
or make a group for web-server as your group and set read
permissions on group level
chmod 440 file.php
Thank-you
But most web sites are virtually hosted and do not have root access
to set this up.
Most people just take the package and install with default masks.
So again I ask:
Are there are any security concerns when the read permission
is set on other. ie Couldn't one write a program to remotely read
the contents of the file.
Wouldn't it be better if the read permission was set for
user only and the php engine
could run the program as user like one can do for cgi using suEXEC.
Again thanks
David J.
Bojan Tesanovic
http://www.carster.us/
