Sorry for 2 replies in short time but this solution allowes users on the serwer to list files in other user home. Let's say that seting 700 on home is prefered solution if it is possible
Best Regards 2011/1/3 Grzegorz Dwornicki <[email protected]>: > this indeedcould work ill check it later. I you wont'd mind im still > interested in solution that will not require group perms. I saw it on > one serwer but i've lost contact to admin soo im trying to figure it > out :). But i'll write later that this works as well :D > > 2011/1/3 Aki Tuomi <[email protected]>: >> Well. you do not need add joe or meg into group www-data. But apache needs to >> read them anyways, just make sure apache runs in group www-data. joe or meg >> cannot access these files with their accounts. >> >> So. To summarise >> >> joe or meg should *NOT* be in www-data group. directory ownership should be >> joe:www-data and chmod 0750 for the directory. >> >> Aki Tuomi >> >> On Mon, Jan 03, 2011 at 12:43:16PM +0100, Grzegorz Dwornicki wrote: >>> Firt of all thx for squick reply :D >>> >>> the problem is that apache can read thesse files. Lets say that i have >>> 2 users joe and meg and this structure of files: >>> >>> /home/joe/public_html/index.php >>> >>> /home/meg/public_html/config.php >>> >>> According to this if i want to secure php from joe site to be able to >>> open meg's secret.php just for reading file ("r" perm) i need to takie >>> some action maybe from php.ini. >>> >>> If i wont do this joe scripts are run as joe:www-data? Soo joe can't >>> open them but group www-data can. >>> >>> That's why ive tried to run apache as root and suphp. Too eliminate >>> group perms. But as i say it generates 500 internal server error and >>> error.log shows what i've pasted earler. >>> >>> Is it possible? >>> >>> Best Regards >>> >>> 2011/1/3 Aki Tuomi <[email protected]>: >>> > On Mon, Jan 03, 2011 at 12:05:35AM +0100, Grzegorz Dwornicki wrote: >>> >> Hi >>> >> >>> >> Let's say i want to create a configuration of apache2 + suphp with >>> >> will allow users to set right for their files and directories to owner >>> >> only. Soo php needs to be run as owner (this takes suphp). But in >>> >> order to apache even run suphp it needs to go to documentroot and look >>> >> at index file or other file that user had requested. To to tjis apache >>> >> needs to be able to go to that directory ignoring file rights - maybe >>> >> apache run as root? >>> >> >>> >> I wanted to chect this configuration but it seems that apache as root >>> >> and suphp creates errors like this: >>> >> >>> >> ... >>> >> >>> >> Best Regards >>> >> Grzegory >>> >> >>> > >>> > Of course, you could set the directory to be owned by username:www-data >>> > (or whatever group your apache uses), and set perms to 0750. This would, >>> > in my opinion, achieve the same security? >>> > >>> > Aki Tuomi >>> > >>> > -----BEGIN PGP SIGNATURE----- >>> > Version: GnuPG v1.4.9 (GNU/Linux) >>> > >>> > iEYEARECAAYFAk0hrNAACgkQahHbMDrZuj56pQCfZKxtMwyeCKFvZuAojDmhK836 >>> > uAkAn3HNEkLFkyMyWp1aiVlqeDSs1IMG >>> > =EsWr >>> > -----END PGP SIGNATURE----- >>> > >>> > >>> >>> _______________________________________________ >>> suPHP mailing list >>> [email protected] >>> https://lists.marsching.com/mailman/listinfo/suphp >>> >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.9 (GNU/Linux) >> >> iEYEARECAAYFAk0ht6wACgkQahHbMDrZuj4DgACgmLMNX29qQJq4Zr/SewegJv2b >> 1XkAnjEzoK+eqnMqr6bCfY8wGLq0/16x >> =xtDq >> -----END PGP SIGNATURE----- >> >> > _______________________________________________ suPHP mailing list [email protected] https://lists.marsching.com/mailman/listinfo/suphp
