Well. you do not need add joe or meg into group www-data. But apache needs to read them anyways, just make sure apache runs in group www-data. joe or meg cannot access these files with their accounts.
So. To summarise
joe or meg should *NOT* be in www-data group. directory ownership should be
joe:www-data and chmod 0750 for the directory.
Aki Tuomi
On Mon, Jan 03, 2011 at 12:43:16PM +0100, Grzegorz Dwornicki wrote:
> Firt of all thx for squick reply :D
>
> the problem is that apache can read thesse files. Lets say that i have
> 2 users joe and meg and this structure of files:
>
> /home/joe/public_html/index.php
>
> /home/meg/public_html/config.php
>
> According to this if i want to secure php from joe site to be able to
> open meg's secret.php just for reading file ("r" perm) i need to takie
> some action maybe from php.ini.
>
> If i wont do this joe scripts are run as joe:www-data? Soo joe can't
> open them but group www-data can.
>
> That's why ive tried to run apache as root and suphp. Too eliminate
> group perms. But as i say it generates 500 internal server error and
> error.log shows what i've pasted earler.
>
> Is it possible?
>
> Best Regards
>
> 2011/1/3 Aki Tuomi <[email protected]>:
> > On Mon, Jan 03, 2011 at 12:05:35AM +0100, Grzegorz Dwornicki wrote:
> >> Hi
> >>
> >> Let's say i want to create a configuration of apache2 + suphp with
> >> will allow users to set right for their files and directories to owner
> >> only. Soo php needs to be run as owner (this takes suphp). But in
> >> order to apache even run suphp it needs to go to documentroot and look
> >> at index file or other file that user had requested. To to tjis apache
> >> needs to be able to go to that directory ignoring file rights - maybe
> >> apache run as root?
> >>
> >> I wanted to chect this configuration but it seems that apache as root
> >> and suphp creates errors like this:
> >>
> >> ...
> >>
> >> Best Regards
> >> Grzegory
> >>
> >
> > Of course, you could set the directory to be owned by username:www-data (or
> > whatever group your apache uses), and set perms to 0750. This would, in my
> > opinion, achieve the same security?
> >
> > Aki Tuomi
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.9 (GNU/Linux)
> >
> > iEYEARECAAYFAk0hrNAACgkQahHbMDrZuj56pQCfZKxtMwyeCKFvZuAojDmhK836
> > uAkAn3HNEkLFkyMyWp1aiVlqeDSs1IMG
> > =EsWr
> > -----END PGP SIGNATURE-----
> >
> >
>
> _______________________________________________
> suPHP mailing list
> [email protected]
> https://lists.marsching.com/mailman/listinfo/suphp
>
signature.asc
Description: Digital signature
_______________________________________________ suPHP mailing list [email protected] https://lists.marsching.com/mailman/listinfo/suphp
