[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Web server Miracles



From: "Ashe Tyrael" <ashe [at] techromantic.co.uk>
To: <shef-lug [at] list.sheflug.org.uk>
Sent: Thursday, January 15, 2004 10:41 AM
Subject: Re: [Sheflug] Web server Miracles


> On Thursday 15 Jan 2004 10:16 am, Rob Keeling wrote:
>
> > I will be setting the home directory permissions to user.nogroup, with
user
> > rxw, nogroup rx the web server is running as nogroup.
> >
> > This all seems to work, with students not being able to download (via
ssh
> > anyway) the source files of other users.
>
> But can they read them on the machine? Thats the key point. Plusnet take a
> similar approach to their php platform, and theres a slight problem with
> people being able to read any passwords/etc stored in the php code. I
suspect
> its not as important, because theyre less likely to be storing anything
> remotely sensitive, but it is something to watch for.

The users are not in the nogroup group, so can`t read each others files.

However php runing as wwwrun.nogroup would be able to read all files.

If I can run php as the home dir user then that problem would be got round.

How do plusnet (or other isp`s) do their scripting support?

I am really trying to hide mysql database userid`s/passwords in scripting.

Thanks

Rob Keeling

___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.