I should explain a bit more in detail.. Actually, the users can have php
files. And these php files can access other users' stuff.
And consider they are real users, then how will i tell Apache server to
run as the user owning the file?
Is it impossible for a real solution?
On Sun, 25 Nov 2001, Hank Marquardt wrote:
> > I want to keep their information on Mysql. That is,
> > if possible I don't want to create real system accounts.
> >
> > The problem is... using PHP, they can open any file
> > that is readable to nobody account (Apache user)..
> > So it can read and even edit other users' files..
> >
> These two statements seem at odds with each other (to me anyway) .. if
> you're completely managing the user 'virtually' within mysql you could
> manage all your permissions and access within the database with sessions
> and a user id ... if on the other hand you are creating accounts on the
> system just with a nologin shell, then you're in a pickle with no real
> solution ... if the 'nobody' group needs read permission then you're
> correct that most anyone can read anyone else's work ... you're only
> real option is to create some kind of wrapper script for accessing the
> files that checks the db perms first.
>
> BTW, there are *lots* of ISPs offering shell access (and web accounts)
> out there where this is an issue ... the entire /home tree is 0755
> permed and user a can read/execute user b's stuff. .... even a 0750
> doesn't fix it most of the time as the users share a common group ... I
> guess you could go with 0750, set uid=gid and then add 'nobody' to
> everyone's groups though ...
>
> ... enough, I'm just thinking out loud now.
>
> Hank
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
