[Gllug] Apache / permissions

Tom Gilbert tom at linuxbrit.co.uk
Tue Nov 6 14:42:26 UTC 2001


* tet at accucard.com (tet at accucard.com) wrote:
> 
> >I've got a feeling this is insecure but I'm not sure exactly why or what
> >would be a better scheme for this type of situation. Could members of
> >the apache group stop apache running if they gained shell access or
> >something?
> 
> Not unless Apache had been deliberately set up that way.
> 
> >What's the usual way to do this sort of thing?
> 
> We have all the directories containing web pages set to 0755, and all
> files therein set to 0644 -- they're going to be on a public web site,
> after all, so what does it matter if local users can see them?
> 
> Where this breaks down is when you're using server side scripting to
> generate the pages (e.g., PHP), and you might not want people to see
> the source.

That's where you use CGI PHP and suexec. That way the user can own the
file, and chmod it 0600 or whatever, and you set up apache to run their
scripts as them using suexec.

Tom.
-- 
   .^.    .-------------------------------------------------------.
   /V\    | Tom Gilbert, London, England | http://linuxbrit.co.uk |
 /(   )\  | Open Source/UNIX consultant  | tom at linuxbrit.co.uk    |
  ^^-^^   `-------------------------------------------------------'

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list