On Mon, 17 Dec 2007, Drew A. Withers wrote: > Dan Mahoney, System Admin wrote: >> What OS? > > Debian Linux Etch 4.0r1 > Apache 2.2.3 > PHP 5.2.0 > suphp 0.6.2, I assume it comes compiled in owner mode. (This is how it > appears to work when I'm using local user's home directories) > > That is the mode that we want because we have many users and we don't > want to have to specify UID's or GID's. It should be done based on the > owner of the script. > >> That said, I have a similar "squash" in effect on my end. Accesses by >> root on the NFS client map to UID -1 on the server -- so as long as all >> the files involved are world-readable (as they should be) you should be >> fine (as I'm currently looking through my homedir as root...but can't >> open my .mail file. > > It is true that suphp has no problem when the php file in question is > world-readable, but we don't want all php files to be world readable. > That doesn't make much sense.
Sure it does. Let's look at the most oftenly exploited code I have on my box (phpBB). The scripts themselves are world-readable (and who cares, if someone wants to read the source to look for exploits, they can just download a copy). However, I carefully chmod any script that is *included* (i.e. the config.php) to mode 600 (since that's where the DB login is. That file never gets directly run by either the webserver or suphp, but simple "included" by the user code, which is already running as the user at this point. I also have a webmin/usermin module (of my own design) in place which scans: a) for group writable files b) for overly permissive directories and c) For known script config files (like the above) under a home directory on login and offers to "fix" them to a more solid permissions setting. Additionally, protecting your inner config files in such a way generally enforces that in that rare case where php starts just outputting your scripts' source, rather than executing them -- that the actual *important* script data isn't readable at all via the webserver. -Dan -- "If you aren't going to try something, then we might as well just be friends." "We can't have that now, can we?" -SK & Dan Mahoney, December 9, 1998 --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --------------------------- _______________________________________________ suPHP mailing list [email protected] http://lists.marsching.biz/mailman/listinfo/suphp
