suphp is ran under the user's credentials.
On Mon, Jan 03, 2011 at 01:07:52PM +0100, Grzegorz Dwornicki wrote: > Even when they run php functions? Assuming they aren't blocked. In > other case i agree :) > > 2011/1/3 Aki Tuomi <[email protected]>: > > > > Er. No. It doesn't. > > > > If you have directory > > > > -rwxr-x--- 1 joe www-data public_htm > > > > then only joe, or members of www-data group, can read this directory. > > > > The group www-data has only one member, user called www-data, which is > > what you use to run your apache. > > > > Now, this way users cannot see each others home directories. > > > > Agreed? > > > > Aki Tuomi > > > > On Mon, Jan 03, 2011 at 12:59:07PM +0100, Grzegorz Dwornicki wrote: > >> Sorry for 2 replies in short time but this solution allowes users on > >> the serwer to list files in other user home. Let's say that seting 700 > >> on home is prefered solution if it is possible > >> > >> Best Regards > >> > >> 2011/1/3 Grzegorz Dwornicki <[email protected]>: > >> > this indeedcould work ill check it later. I you wont'd mind im still > >> > interested in solution that will not require group perms. I saw it on > >> > one serwer but i've lost contact to admin soo im trying to figure it > >> > out :). But i'll write later that this works as well :D > >> > > >> > 2011/1/3 Aki Tuomi <[email protected]>: > >> >> Well. you do not need add joe or meg into group www-data. But apache > >> >> needs to > >> >> read them anyways, just make sure apache runs in group www-data. joe or > >> >> meg > >> >> cannot access these files with their accounts. > >> >> > >> >> So. To summarise > >> >> > >> >> joe or meg should *NOT* be in www-data group. directory ownership > >> >> should be > >> >> joe:www-data and chmod 0750 for the directory. > >> >> > >> >> Aki Tuomi > >> >> > >> >> On Mon, Jan 03, 2011 at 12:43:16PM +0100, Grzegorz Dwornicki wrote: > >> >>> Firt of all thx for squick reply :D > >> >>> > >> >>> the problem is that apache can read thesse files. Lets say that i have > >> >>> 2 users joe and meg and this structure of files: > >> >>> > >> >>> /home/joe/public_html/index.php > >> >>> > >> >>> /home/meg/public_html/config.php > >> >>> > >> >>> According to this if i want to secure php from joe site to be able to > >> >>> open meg's secret.php just for reading file ("r" perm) i need to takie > >> >>> some action maybe from php.ini. > >> >>> > >> >>> If i wont do this joe scripts are run as joe:www-data? Soo joe can't > >> >>> open them but group www-data can. > >> >>> > >> >>> That's why ive tried to run apache as root and suphp. Too eliminate > >> >>> group perms. But as i say it generates 500 internal server error and > >> >>> error.log shows what i've pasted earler. > >> >>> > >> >>> Is it possible? > >> >>> > >> >>> Best Regards > >> >>> > >> >>> 2011/1/3 Aki Tuomi <[email protected]>: > >> >>> > On Mon, Jan 03, 2011 at 12:05:35AM +0100, Grzegorz Dwornicki wrote: > >> >>> >> Hi > >> >>> >> > >> >>> >> Let's say i want to create a configuration of apache2 + suphp with > >> >>> >> will allow users to set right for their files and directories to > >> >>> >> owner > >> >>> >> only. Soo php needs to be run as owner (this takes suphp). But in > >> >>> >> order to apache even run suphp it needs to go to documentroot and > >> >>> >> look > >> >>> >> at index file or other file that user had requested. To to tjis > >> >>> >> apache > >> >>> >> needs to be able to go to that directory ignoring file rights - > >> >>> >> maybe > >> >>> >> apache run as root? > >> >>> >> > >> >>> >> I wanted to chect this configuration but it seems that apache as > >> >>> >> root > >> >>> >> and suphp creates errors like this: > >> >>> >> > >> >>> >> ... > >> >>> >> > >> >>> >> Best Regards > >> >>> >> Grzegory > >> >>> >> > >> >>> > > >> >>> > Of course, you could set the directory to be owned by > >> >>> > username:www-data (or whatever group your apache uses), and set > >> >>> > perms to 0750. This would, in my opinion, achieve the same security? > >> >>> > > >> >>> > Aki Tuomi > >> >>> > > >> >>> > -----BEGIN PGP SIGNATURE----- > >> >>> > Version: GnuPG v1.4.9 (GNU/Linux) > >> >>> > > >> >>> > iEYEARECAAYFAk0hrNAACgkQahHbMDrZuj56pQCfZKxtMwyeCKFvZuAojDmhK836 > >> >>> > uAkAn3HNEkLFkyMyWp1aiVlqeDSs1IMG > >> >>> > =EsWr > >> >>> > -----END PGP SIGNATURE----- > >> >>> > > >> >>> > > >> >>> > >> >>> _______________________________________________ > >> >>> suPHP mailing list > >> >>> [email protected] > >> >>> https://lists.marsching.com/mailman/listinfo/suphp > >> >>> > >> >> > >> >> -----BEGIN PGP SIGNATURE----- > >> >> Version: GnuPG v1.4.9 (GNU/Linux) > >> >> > >> >> iEYEARECAAYFAk0ht6wACgkQahHbMDrZuj4DgACgmLMNX29qQJq4Zr/SewegJv2b > >> >> 1XkAnjEzoK+eqnMqr6bCfY8wGLq0/16x > >> >> =xtDq > >> >> -----END PGP SIGNATURE----- > >> >> > >> >> > >> > > >> > >> _______________________________________________ > >> suPHP mailing list > >> [email protected] > >> https://lists.marsching.com/mailman/listinfo/suphp > >> > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.9 (GNU/Linux) > > > > iEYEARECAAYFAk0hu2UACgkQahHbMDrZuj7AuACdHu6K5dEDw5HIX9sfSHH8YoEB > > SakAnA0z2oH6y44hb5fRNbzANxtlTnvP > > =s3hw > > -----END PGP SIGNATURE----- > > > > _______________________________________________ > > suPHP mailing list > > [email protected] > > https://lists.marsching.com/mailman/listinfo/suphp > > > > > > _______________________________________________ > suPHP mailing list > [email protected] > https://lists.marsching.com/mailman/listinfo/suphp >
signature.asc
Description: Digital signature
_______________________________________________ suPHP mailing list [email protected] https://lists.marsching.com/mailman/listinfo/suphp
