> On 10-10-31 04:29 AM, Roland Tapken wrote: >> Hello Kurt, >> simply let your "www-data"-user be a member of all user's group. This way >> Apache can read the files of every user and suPHP can be used with different >> groups. > > That only works for a small number of users. Most systems have a limit to the number of effective groups at any given time. In most shared environments, that would mean that the www-data user would have to be a member of, say, 500 groups. Not feasible. > > Instead, a better solution would be to use POSIX ACLs to give the www-data user read access to all the user folders. Then you can tighten the permissions substantially while still keeping the user and group of the files to that of the site user. (Make certain you have group read and execute as the group permissions or the ACLs will be ignored.) And you can set a default ACL on each user's folder so that new files and folders have the same permissions attached. >
Exactly, here is my user-config : /var/www/user1 user1:www-data 750 /var/www/user1/html user1:user1 750 or 755 /var/www/user1/html/x.php user1:user1 640 or 644 /var/www/user2 user2:www-data 750 /var/www/user2/html user2:user2 750 or 755 /var/www/user2/html/y.php user2:user2 640 or 644 I can guarantee you that y.php cannot access /var/www/user1 and below... It runs as user2:user2, can create files/directory in its homedir (incl. /var/www/user2) Here is relevent info in suphp.conf (I'm on debian lenny) : (...) ;User Apache is running as webserver_user=www-data ;Path all scripts have to be in docroot=/var/www ; Security options allow_file_group_writeable=false allow_file_others_writeable=false allow_directory_group_writeable=false allow_directory_others_writeable=false ;Check wheter script is within DOCUMENT_ROOT check_vhost_docroot=false ;Umask to set, specify in octal notation umask=0022 (...) > > -- > William Astle > [email protected] > > > > _______________________________________________ suPHP mailing list [email protected] https://lists.marsching.com/mailman/listinfo/suphp
