I should explain a bit more in detail.. Actually, the users can have php
files. And these php files can access other users' stuff. 

And consider they are real users, then how will i tell Apache server to
run as the user owning the file?

Is it impossible for a real solution?


On Sun, 25 Nov 2001, Hank Marquardt wrote:

> > I want to keep their information on Mysql. That is,
> > if possible I don't want to create real system accounts.
> > 
> > The problem is... using PHP, they can open any file 
> > that is readable to nobody account (Apache user).. 
> > So it can read and even edit other users' files..
> > 
> These two statements seem at odds with each other (to me anyway) .. if
> you're completely managing the user 'virtually' within mysql you could
> manage all your permissions and access within the database with sessions
> and a user id ... if on the other hand you are creating accounts on the
> system just with a nologin shell, then you're in a pickle with no real
> solution ... if the 'nobody' group needs read permission then you're
> correct that most anyone can read anyone else's work ... you're only
> real option is to create some kind of wrapper script for accessing the
> files that checks the db perms first.
> 
> BTW, there are *lots* of ISPs offering shell access (and web accounts)
> out there where this is an issue ... the entire /home tree is 0755
> permed and user a can read/execute user b's stuff.  .... even a 0750
> doesn't fix it most of the time as the users share a common group ... I
> guess you could go with 0750, set uid=gid and then add 'nobody' to
> everyone's groups though ...
> 
> ... enough, I'm just thinking out loud now.
> 
> Hank
> 
> 



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to