please hack apart this solution and point out the error/insecure nature of the

goal, provide php access to name based virtual hosts on FreeBSD boxes

problem, security of PHP access to base system and other user scripts


apache compiled with suexec
# set user and group to unique
chown USERID:USERID /path/to/user/html/directory

# no public access to any files under here that
# you don't want public reading, like scripts
# with database login information in them
chmod -R 0750 /path/to/user/html/directory

# set group sticky execution...  we will run
# apache as this unique group so may not be needed
chmod g+s /path/to/user/html/directory

>in apache's httpd.conf
# set each virtual host to run any accesses
# as the group USERID giving them only access
# to this directory...  defeats PHP directory
# and shell scripts as long as no public read bits
# are set
<virtual *>


you end up with and being unable to create PHP
scripts or do listings of any other virtual user directory since they are not of
the same group, but accesses to the site are made by invoking apache as that
group for that session.

directory tree
drwxr-s---  2 user1   user1  512  Aug 19 18:23  vtest1
drwxr-s---  2 user2   user2  512  Aug 19 18:26  vtest2

with directory groups set in the httpd.conf for user1 in vtest1 and user2 in
vtest2, neither user should be able to use PHP filesystem functions to browse
the other directories as long as no public bits are set, and apache server
requests still server the documents from the directories since each users
directory has an Group user1 (or user2) set for his directory in the directory
or virtual container, thus executing the apache requsts as the appropriate user
and not the generic www user.

Please feel free to point out any errors in my logic...  it appears pretty solid
from here.


PHP General Mailing List (
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to