> I want to keep their information on Mysql. That is,
> if possible I don't want to create real system accounts.
> The problem is... using PHP, they can open any file 
> that is readable to nobody account (Apache user).. 
> So it can read and even edit other users' files..
These two statements seem at odds with each other (to me anyway) .. if
you're completely managing the user 'virtually' within mysql you could
manage all your permissions and access within the database with sessions
and a user id ... if on the other hand you are creating accounts on the
system just with a nologin shell, then you're in a pickle with no real
solution ... if the 'nobody' group needs read permission then you're
correct that most anyone can read anyone else's work ... you're only
real option is to create some kind of wrapper script for accessing the
files that checks the db perms first.

BTW, there are *lots* of ISPs offering shell access (and web accounts)
out there where this is an issue ... the entire /home tree is 0755
permed and user a can read/execute user b's stuff.  .... even a 0750
doesn't fix it most of the time as the users share a common group ... I
guess you could go with 0750, set uid=gid and then add 'nobody' to
everyone's groups though ...

... enough, I'm just thinking out loud now.


Hank Marquardt <[EMAIL PROTECTED]>
GPG Id: 2BB5E60C
Fingerprint: D807 61BC FD18 370A AC1D  3EDF 2BF9 8A2D 2BB5 E60C
*** Web Development: PHP, MySQL/PgSQL - Network Admin: Debian/FreeBSD
*** PHP Instructor - Intnl. Webmasters Assn./HTML Writers Guild 
*** Beginning PHP -- Starts January 7, 2002 
*** See http://www.hwg.org/services/classes

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to