Even when they run php functions? Assuming they aren't blocked. In other case i agree :)
2011/1/3 Aki Tuomi <[email protected]>: > > Er. No. It doesn't. > > If you have directory > > -rwxr-x--- 1 joe www-data public_htm > > then only joe, or members of www-data group, can read this directory. > > The group www-data has only one member, user called www-data, which is > what you use to run your apache. > > Now, this way users cannot see each others home directories. > > Agreed? > > Aki Tuomi > > On Mon, Jan 03, 2011 at 12:59:07PM +0100, Grzegorz Dwornicki wrote: >> Sorry for 2 replies in short time but this solution allowes users on >> the serwer to list files in other user home. Let's say that seting 700 >> on home is prefered solution if it is possible >> >> Best Regards >> >> 2011/1/3 Grzegorz Dwornicki <[email protected]>: >> > this indeedcould work ill check it later. I you wont'd mind im still >> > interested in solution that will not require group perms. I saw it on >> > one serwer but i've lost contact to admin soo im trying to figure it >> > out :). But i'll write later that this works as well :D >> > >> > 2011/1/3 Aki Tuomi <[email protected]>: >> >> Well. you do not need add joe or meg into group www-data. But apache >> >> needs to >> >> read them anyways, just make sure apache runs in group www-data. joe or >> >> meg >> >> cannot access these files with their accounts. >> >> >> >> So. To summarise >> >> >> >> joe or meg should *NOT* be in www-data group. directory ownership should >> >> be >> >> joe:www-data and chmod 0750 for the directory. >> >> >> >> Aki Tuomi >> >> >> >> On Mon, Jan 03, 2011 at 12:43:16PM +0100, Grzegorz Dwornicki wrote: >> >>> Firt of all thx for squick reply :D >> >>> >> >>> the problem is that apache can read thesse files. Lets say that i have >> >>> 2 users joe and meg and this structure of files: >> >>> >> >>> /home/joe/public_html/index.php >> >>> >> >>> /home/meg/public_html/config.php >> >>> >> >>> According to this if i want to secure php from joe site to be able to >> >>> open meg's secret.php just for reading file ("r" perm) i need to takie >> >>> some action maybe from php.ini. >> >>> >> >>> If i wont do this joe scripts are run as joe:www-data? Soo joe can't >> >>> open them but group www-data can. >> >>> >> >>> That's why ive tried to run apache as root and suphp. Too eliminate >> >>> group perms. But as i say it generates 500 internal server error and >> >>> error.log shows what i've pasted earler. >> >>> >> >>> Is it possible? >> >>> >> >>> Best Regards >> >>> >> >>> 2011/1/3 Aki Tuomi <[email protected]>: >> >>> > On Mon, Jan 03, 2011 at 12:05:35AM +0100, Grzegorz Dwornicki wrote: >> >>> >> Hi >> >>> >> >> >>> >> Let's say i want to create a configuration of apache2 + suphp with >> >>> >> will allow users to set right for their files and directories to owner >> >>> >> only. Soo php needs to be run as owner (this takes suphp). But in >> >>> >> order to apache even run suphp it needs to go to documentroot and look >> >>> >> at index file or other file that user had requested. To to tjis apache >> >>> >> needs to be able to go to that directory ignoring file rights - maybe >> >>> >> apache run as root? >> >>> >> >> >>> >> I wanted to chect this configuration but it seems that apache as root >> >>> >> and suphp creates errors like this: >> >>> >> >> >>> >> ... >> >>> >> >> >>> >> Best Regards >> >>> >> Grzegory >> >>> >> >> >>> > >> >>> > Of course, you could set the directory to be owned by >> >>> > username:www-data (or whatever group your apache uses), and set perms >> >>> > to 0750. This would, in my opinion, achieve the same security? >> >>> > >> >>> > Aki Tuomi >> >>> > >> >>> > -----BEGIN PGP SIGNATURE----- >> >>> > Version: GnuPG v1.4.9 (GNU/Linux) >> >>> > >> >>> > iEYEARECAAYFAk0hrNAACgkQahHbMDrZuj56pQCfZKxtMwyeCKFvZuAojDmhK836 >> >>> > uAkAn3HNEkLFkyMyWp1aiVlqeDSs1IMG >> >>> > =EsWr >> >>> > -----END PGP SIGNATURE----- >> >>> > >> >>> > >> >>> >> >>> _______________________________________________ >> >>> suPHP mailing list >> >>> [email protected] >> >>> https://lists.marsching.com/mailman/listinfo/suphp >> >>> >> >> >> >> -----BEGIN PGP SIGNATURE----- >> >> Version: GnuPG v1.4.9 (GNU/Linux) >> >> >> >> iEYEARECAAYFAk0ht6wACgkQahHbMDrZuj4DgACgmLMNX29qQJq4Zr/SewegJv2b >> >> 1XkAnjEzoK+eqnMqr6bCfY8wGLq0/16x >> >> =xtDq >> >> -----END PGP SIGNATURE----- >> >> >> >> >> > >> >> _______________________________________________ >> suPHP mailing list >> [email protected] >> https://lists.marsching.com/mailman/listinfo/suphp >> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEARECAAYFAk0hu2UACgkQahHbMDrZuj7AuACdHu6K5dEDw5HIX9sfSHH8YoEB > SakAnA0z2oH6y44hb5fRNbzANxtlTnvP > =s3hw > -----END PGP SIGNATURE----- > > _______________________________________________ > suPHP mailing list > [email protected] > https://lists.marsching.com/mailman/listinfo/suphp > > _______________________________________________ suPHP mailing list [email protected] https://lists.marsching.com/mailman/listinfo/suphp
