Ok i agree but lets say that apache is running on www-data:www-data and it see a php script. Soo suphp change user uid to user bo in the end i have user:www-data? In that case the group perms still aply.
But to be back in maim topic why apache as root + suphp generates 500 internat serwer error? 2011/1/3 Aki Tuomi <[email protected]>: > suphp is ran under the user's credentials. > > On Mon, Jan 03, 2011 at 01:07:52PM +0100, Grzegorz Dwornicki wrote: >> Even when they run php functions? Assuming they aren't blocked. In >> other case i agree :) >> >> 2011/1/3 Aki Tuomi <[email protected]>: >> > >> > Er. No. It doesn't. >> > >> > If you have directory >> > >> > -rwxr-x--- 1 joe www-data public_htm >> > >> > then only joe, or members of www-data group, can read this directory. >> > >> > The group www-data has only one member, user called www-data, which is >> > what you use to run your apache. >> > >> > Now, this way users cannot see each others home directories. >> > >> > Agreed? >> > >> > Aki Tuomi >> > >> > On Mon, Jan 03, 2011 at 12:59:07PM +0100, Grzegorz Dwornicki wrote: >> >> Sorry for 2 replies in short time but this solution allowes users on >> >> the serwer to list files in other user home. Let's say that seting 700 >> >> on home is prefered solution if it is possible >> >> >> >> Best Regards >> >> >> >> 2011/1/3 Grzegorz Dwornicki <[email protected]>: >> >> > this indeedcould work ill check it later. I you wont'd mind im still >> >> > interested in solution that will not require group perms. I saw it on >> >> > one serwer but i've lost contact to admin soo im trying to figure it >> >> > out :). But i'll write later that this works as well :D >> >> > >> >> > 2011/1/3 Aki Tuomi <[email protected]>: >> >> >> Well. you do not need add joe or meg into group www-data. But apache >> >> >> needs to >> >> >> read them anyways, just make sure apache runs in group www-data. joe >> >> >> or meg >> >> >> cannot access these files with their accounts. >> >> >> >> >> >> So. To summarise >> >> >> >> >> >> joe or meg should *NOT* be in www-data group. directory ownership >> >> >> should be >> >> >> joe:www-data and chmod 0750 for the directory. >> >> >> >> >> >> Aki Tuomi >> >> >> >> >> >> On Mon, Jan 03, 2011 at 12:43:16PM +0100, Grzegorz Dwornicki wrote: >> >> >>> Firt of all thx for squick reply :D >> >> >>> >> >> >>> the problem is that apache can read thesse files. Lets say that i have >> >> >>> 2 users joe and meg and this structure of files: >> >> >>> >> >> >>> /home/joe/public_html/index.php >> >> >>> >> >> >>> /home/meg/public_html/config.php >> >> >>> >> >> >>> According to this if i want to secure php from joe site to be able to >> >> >>> open meg's secret.php just for reading file ("r" perm) i need to takie >> >> >>> some action maybe from php.ini. >> >> >>> >> >> >>> If i wont do this joe scripts are run as joe:www-data? Soo joe can't >> >> >>> open them but group www-data can. >> >> >>> >> >> >>> That's why ive tried to run apache as root and suphp. Too eliminate >> >> >>> group perms. But as i say it generates 500 internal server error and >> >> >>> error.log shows what i've pasted earler. >> >> >>> >> >> >>> Is it possible? >> >> >>> >> >> >>> Best Regards >> >> >>> >> >> >>> 2011/1/3 Aki Tuomi <[email protected]>: >> >> >>> > On Mon, Jan 03, 2011 at 12:05:35AM +0100, Grzegorz Dwornicki wrote: >> >> >>> >> Hi >> >> >>> >> >> >> >>> >> Let's say i want to create a configuration of apache2 + suphp with >> >> >>> >> will allow users to set right for their files and directories to >> >> >>> >> owner >> >> >>> >> only. Soo php needs to be run as owner (this takes suphp). But in >> >> >>> >> order to apache even run suphp it needs to go to documentroot and >> >> >>> >> look >> >> >>> >> at index file or other file that user had requested. To to tjis >> >> >>> >> apache >> >> >>> >> needs to be able to go to that directory ignoring file rights - >> >> >>> >> maybe >> >> >>> >> apache run as root? >> >> >>> >> >> >> >>> >> I wanted to chect this configuration but it seems that apache as >> >> >>> >> root >> >> >>> >> and suphp creates errors like this: >> >> >>> >> >> >> >>> >> ... >> >> >>> >> >> >> >>> >> Best Regards >> >> >>> >> Grzegory >> >> >>> >> >> >> >>> > >> >> >>> > Of course, you could set the directory to be owned by >> >> >>> > username:www-data (or whatever group your apache uses), and set >> >> >>> > perms to 0750. This would, in my opinion, achieve the same security? >> >> >>> > >> >> >>> > Aki Tuomi >> >> >>> > >> >> >>> > -----BEGIN PGP SIGNATURE----- >> >> >>> > Version: GnuPG v1.4.9 (GNU/Linux) >> >> >>> > >> >> >>> > iEYEARECAAYFAk0hrNAACgkQahHbMDrZuj56pQCfZKxtMwyeCKFvZuAojDmhK836 >> >> >>> > uAkAn3HNEkLFkyMyWp1aiVlqeDSs1IMG >> >> >>> > =EsWr >> >> >>> > -----END PGP SIGNATURE----- >> >> >>> > >> >> >>> > >> >> >>> >> >> >>> _______________________________________________ >> >> >>> suPHP mailing list >> >> >>> [email protected] >> >> >>> https://lists.marsching.com/mailman/listinfo/suphp >> >> >>> >> >> >> >> >> >> -----BEGIN PGP SIGNATURE----- >> >> >> Version: GnuPG v1.4.9 (GNU/Linux) >> >> >> >> >> >> iEYEARECAAYFAk0ht6wACgkQahHbMDrZuj4DgACgmLMNX29qQJq4Zr/SewegJv2b >> >> >> 1XkAnjEzoK+eqnMqr6bCfY8wGLq0/16x >> >> >> =xtDq >> >> >> -----END PGP SIGNATURE----- >> >> >> >> >> >> >> >> > >> >> >> >> _______________________________________________ >> >> suPHP mailing list >> >> [email protected] >> >> https://lists.marsching.com/mailman/listinfo/suphp >> >> >> > >> > -----BEGIN PGP SIGNATURE----- >> > Version: GnuPG v1.4.9 (GNU/Linux) >> > >> > iEYEARECAAYFAk0hu2UACgkQahHbMDrZuj7AuACdHu6K5dEDw5HIX9sfSHH8YoEB >> > SakAnA0z2oH6y44hb5fRNbzANxtlTnvP >> > =s3hw >> > -----END PGP SIGNATURE----- >> > >> > _______________________________________________ >> > suPHP mailing list >> > [email protected] >> > https://lists.marsching.com/mailman/listinfo/suphp >> > >> > >> >> _______________________________________________ >> suPHP mailing list >> [email protected] >> https://lists.marsching.com/mailman/listinfo/suphp >> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEARECAAYFAk0hvswACgkQahHbMDrZuj7PxgCbBEhwYTq4YHKHRoaGC6Iq2gkl > Z2EAn1uPf97StppUeseVkAKBNFqhomEd > =L8tY > -----END PGP SIGNATURE----- > > _______________________________________________ > suPHP mailing list > [email protected] > https://lists.marsching.com/mailman/listinfo/suphp > > _______________________________________________ suPHP mailing list [email protected] https://lists.marsching.com/mailman/listinfo/suphp
