End goals - avoid using CGI - restrict PHP programs to user directory - allow PHP from http to manipulate files/links/uploads/etc...
Apache main config sets user and group to "nobody" Apache Virtual Host for site contains # restrict web pages root in specific sub-directory DocumentRoot /www/user1/public # have web server run as user for file upload permissions, # and link/file set unset user user1 # set group nobody if user belongs to group with permissions group nobody #set base dir for PHP operations to user "root" directory to allow # out of web accessible folder storage of inc files etc... php_admin_value open_base_dir /www/user1 # provide upload directory within the php base directory for # permission to upload and move files to final location php_admin_value upload_tmp_dir /www/user1/tmp Logically, this should... - allow php to manipulate the users area fully but deny access to commands outside his directory - allow php to upload files into private tmp directory owned by user, which php then has permission to relocate as needed - allow php to create symlinks, delete files, any other such filesystem operations within his personal tree - require any executables to be within his directory tree for php to call them Clarifications, corrections, comments? Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php