Er. No. It doesn't. If you have directory
-rwxr-x--- 1 joe www-data public_htm then only joe, or members of www-data group, can read this directory. The group www-data has only one member, user called www-data, which is what you use to run your apache. Now, this way users cannot see each others home directories. Agreed? Aki Tuomi On Mon, Jan 03, 2011 at 12:59:07PM +0100, Grzegorz Dwornicki wrote: > Sorry for 2 replies in short time but this solution allowes users on > the serwer to list files in other user home. Let's say that seting 700 > on home is prefered solution if it is possible > > Best Regards > > 2011/1/3 Grzegorz Dwornicki <[email protected]>: > > this indeedcould work ill check it later. I you wont'd mind im still > > interested in solution that will not require group perms. I saw it on > > one serwer but i've lost contact to admin soo im trying to figure it > > out :). But i'll write later that this works as well :D > > > > 2011/1/3 Aki Tuomi <[email protected]>: > >> Well. you do not need add joe or meg into group www-data. But apache needs > >> to > >> read them anyways, just make sure apache runs in group www-data. joe or meg > >> cannot access these files with their accounts. > >> > >> So. To summarise > >> > >> joe or meg should *NOT* be in www-data group. directory ownership should be > >> joe:www-data and chmod 0750 for the directory. > >> > >> Aki Tuomi > >> > >> On Mon, Jan 03, 2011 at 12:43:16PM +0100, Grzegorz Dwornicki wrote: > >>> Firt of all thx for squick reply :D > >>> > >>> the problem is that apache can read thesse files. Lets say that i have > >>> 2 users joe and meg and this structure of files: > >>> > >>> /home/joe/public_html/index.php > >>> > >>> /home/meg/public_html/config.php > >>> > >>> According to this if i want to secure php from joe site to be able to > >>> open meg's secret.php just for reading file ("r" perm) i need to takie > >>> some action maybe from php.ini. > >>> > >>> If i wont do this joe scripts are run as joe:www-data? Soo joe can't > >>> open them but group www-data can. > >>> > >>> That's why ive tried to run apache as root and suphp. Too eliminate > >>> group perms. But as i say it generates 500 internal server error and > >>> error.log shows what i've pasted earler. > >>> > >>> Is it possible? > >>> > >>> Best Regards > >>> > >>> 2011/1/3 Aki Tuomi <[email protected]>: > >>> > On Mon, Jan 03, 2011 at 12:05:35AM +0100, Grzegorz Dwornicki wrote: > >>> >> Hi > >>> >> > >>> >> Let's say i want to create a configuration of apache2 + suphp with > >>> >> will allow users to set right for their files and directories to owner > >>> >> only. Soo php needs to be run as owner (this takes suphp). But in > >>> >> order to apache even run suphp it needs to go to documentroot and look > >>> >> at index file or other file that user had requested. To to tjis apache > >>> >> needs to be able to go to that directory ignoring file rights - maybe > >>> >> apache run as root? > >>> >> > >>> >> I wanted to chect this configuration but it seems that apache as root > >>> >> and suphp creates errors like this: > >>> >> > >>> >> ... > >>> >> > >>> >> Best Regards > >>> >> Grzegory > >>> >> > >>> > > >>> > Of course, you could set the directory to be owned by username:www-data > >>> > (or whatever group your apache uses), and set perms to 0750. This > >>> > would, in my opinion, achieve the same security? > >>> > > >>> > Aki Tuomi > >>> > > >>> > -----BEGIN PGP SIGNATURE----- > >>> > Version: GnuPG v1.4.9 (GNU/Linux) > >>> > > >>> > iEYEARECAAYFAk0hrNAACgkQahHbMDrZuj56pQCfZKxtMwyeCKFvZuAojDmhK836 > >>> > uAkAn3HNEkLFkyMyWp1aiVlqeDSs1IMG > >>> > =EsWr > >>> > -----END PGP SIGNATURE----- > >>> > > >>> > > >>> > >>> _______________________________________________ > >>> suPHP mailing list > >>> [email protected] > >>> https://lists.marsching.com/mailman/listinfo/suphp > >>> > >> > >> -----BEGIN PGP SIGNATURE----- > >> Version: GnuPG v1.4.9 (GNU/Linux) > >> > >> iEYEARECAAYFAk0ht6wACgkQahHbMDrZuj4DgACgmLMNX29qQJq4Zr/SewegJv2b > >> 1XkAnjEzoK+eqnMqr6bCfY8wGLq0/16x > >> =xtDq > >> -----END PGP SIGNATURE----- > >> > >> > > > > _______________________________________________ > suPHP mailing list > [email protected] > https://lists.marsching.com/mailman/listinfo/suphp >
signature.asc
Description: Digital signature
_______________________________________________ suPHP mailing list [email protected] https://lists.marsching.com/mailman/listinfo/suphp
