Your other proposed solution results in the same situation, correct? No
matter what, Apache needs read-access to any and all files, so no matter
what PHP will have access to read any user's files. There's no way around
that for a shared hosting situation that I know of...

If you remove the groups write privs, then PHP scripts can't really do any
damage at least.

Your solution doesn't work because the user "keith" could still do a "ls
/home/shannon/public_html/" and get the directory listing (shannon's
public_html directory is 0755, per your suggestion). Unless I'm missing

 - Keith Palmer

On Thu, February 12, 2009 10:45 am, Uwe Laverenz wrote:
> On Thu, Feb 12, 2009 at 09:39:18AM -0500, Keith Palmer wrote:
>> Thanks so much, this solution works really well! It doesn't lock users
>> out
>> of the entire system, but it does ensure that users can't view other
>> user's files via SFTP/SSH, which is fantastic.
> This solution enforces the switch of all user directories to group "www",
> which also means that any member of the group www gets access to these
> directories. This would be even more dangerous if your webserver runs
> with gid www and contains a php-module or something similar with a long
> tradition of security problems. Sorry, but you really, really should not
> do it this way.
> The sticky bit for group www on the public_html directories can be a good
> idea, though.
> bye,
> Uwe

_______________________________________________ mailing list
To unsubscribe, send any mail to ""

Reply via email to