Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Web Hosting Server Permissions
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
LodBot
Apprentice
Apprentice


Joined: 06 Sep 2003
Posts: 155
PostPosted: Fri Mar 25, 2005 10:49 pm    Post subject: Web Hosting Server Permissions Reply with quote
For the past few years I've been providing my friends with webspace. Each user connects through ftp to update their content. I run pure-ftpd with mysql authentication and there is a system link in their home directories that guides them to their public html directory. This setup has worked great for me. The only security issue that I've noticed involves php scripts. So lets say my http root directory is /var/www/localhost/htdocs, user1's public html folder is /var/www/localhost/htdocs/user1/public_html and user2's public html folder is /var/www/localhost/htdocs/user2/public_html. I can't figure out a way that prohibits user1 from accessing user2's information via a php script. I've only been hosting my friends, so I've never worried about users accessing other users' information. Lately, though, I've been asked by a few strangers (not really strangers but people I don't know that well) for webspace. I want to make sure that these users can't access my http root directory as well as other peoples'. I'm assuming that my solution will have something to do with permission, but I'm not entirely sure and I can't figure out a way to do it.

I've thought about writing a script that opens every .php file and checks to make sure that the php file isn't accessing data it shouldn't be, but I figured their would be an easier way.

Also, can php scripts access any system commands that might cause damage? i.e. #rm and #mv.

Thanks in advance.
Back to top
View user's profile Send private message
yaneurabeya
Veteran
Veteran


Joined: 13 May 2004
Posts: 1754
Location: Seattle
PostPosted: Sat Mar 26, 2005 7:12 am    Post subject: Reply with quote
If the directories are owned by users who are not the same users that PHP is running under (since I believe PHP scripts run as the apache user with group www, but don't quote me on that >_<), if you setup the owning user for each directory to be different and/or separate from each other, it should run perfectly fine without perms issues. I don't know exactly how, but my school does it perfectly fine with hundreds of users, so it can be done easily I suppose. I will look into their httpd.conf file...

PHP scripts can only cause as much damage as the owning user can supply via a terminal. That's partly why apache/PHP doesn't run as root I would assume :).
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy