End goals
- avoid using CGI
- restrict PHP programs to user directory
- allow PHP from http to manipulate files/links/uploads/etc...
Apache main config sets user and group to "nobody"
Apache Virtual Host for site contains
# restrict web pages root in specific sub-directory
DocumentRoot /www/user1/public
# have web server run as user for file upload permissions,
# and link/file set unset
user user1
# set group nobody if user belongs to group with permissions
group nobody
#set base dir for PHP operations to user "root" directory to allow
# out of web accessible folder storage of inc files etc...
php_admin_value open_base_dir /www/user1
# provide upload directory within the php base directory for
# permission to upload and move files to final location
php_admin_value upload_tmp_dir /www/user1/tmp
Logically, this should...
- allow php to manipulate the users area fully but deny access to commands
outside his directory
- allow php to upload files into private tmp directory owned by user, which php
then has permission to relocate as needed
- allow php to create symlinks, delete files, any other such filesystem
operations within his personal tree
- require any executables to be within his directory tree for php to call them
Clarifications, corrections, comments?
Dave
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
