Dan Mahoney, System Admin wrote: > On Mon, 17 Dec 2007, Drew A. Withers wrote: >> It is true that suphp has no problem when the php file in question is >> world-readable, but we don't want all php files to be world readable. >> That doesn't make much sense. > > Sure it does. > > Let's look at the most oftenly exploited code I have on my box (phpBB). > > The scripts themselves are world-readable (and who cares, if someone > wants to read the source to look for exploits, they can just download a > copy). > > However, I carefully chmod any script that is *included* (i.e. the > config.php) to mode 600 (since that's where the DB login is. That file > never gets directly run by either the webserver or suphp, but simple > "included" by the user code, which is already running as the user at > this point.
Our users won't necessarily be using just open source projects. Also, we can't expect all of our users to be aware of these security issues. They don't all know how permissions work. And those writing their own code will likely wonder why they have to allow the world to read their code. -- Drew A. Withers <[EMAIL PROTECTED]> Assistant CAEDM CSR Brigham Young University _______________________________________________ suPHP mailing list [email protected] http://lists.marsching.biz/mailman/listinfo/suphp
