[X-Unix] Shared hosting with apache and php, security concerns
Eugene Lee
list-themacintoshguy at fsck.net
Sun Mar 21 03:02:27 PST 2004
On Sun, Mar 21, 2004 at 05:30:25AM -0500, Alexandre Gauthier wrote:
:
: On 18/03/04 04:33, "Eugene Lee" <list-themacintoshguy at fsck.net> wrote:
: >
: > Incorrect. Files (and directories) to be served by Apache need to be
: > readable by the Apache process. For example, if you configure Apache to
: > run as user "www" and group "www", then served content must be readable
: > by either the user "www" or anyone within the group "www".
: >
: > In a shared web server, a typical method is to make all users' web
: > directories group-readable by Apache, but also disallow all world privs.
: > Doing this keeps users from accessing each other's web content.
:
: Would you mind describing how to do this more in details? I am interested in
: finding out.
This is the general idea for each user:
$ chgrp www ~USER/Sites
$ chmod 750 ~USER/Sites
where USER is replaced with the actual username. The first command
makes sure that the user's web directory (i.e. "~USER/Sites") has a
group ID belonging to the Apache process (i.e. "www"). The second
command makes sure that the user still can still modify everything in
the web directory, yet restricts the Apache process "www" to read-only
access. This also takes advantage of the fact that OS X tends is a bit
sloppy on the security end. As a result all files and directories in
the web directory are world-readable unless set otherwise.
BTW, don't read "sloppy" as "insecure". That's not true with OS X.
--
Eugene Lee
http://www.coxar.pwp.blueyonder.co.uk/
More information about the X-Unix
mailing list