On Mon, Jun 13, 2005 at 05:06:37PM +1200, Simon wrote: > Hi there, we are running debian sarge for a virtual hosting box. PHP safe > mode is on for all users with a host of other php_admin_values etc. We are > running name based virtual hosting for all hosts except SSL hosts which have > their own IP... We are using pureftpd for our FTP server, with the u/p in a > mysql database and chrooting the users in their dir. > Currently the server runs as the debian default of www-data.www-data.. and > the users are all loggin in as www-client(1000).www-data.. > So, when PHP creates a file 'test.txt' (www-data.www-data), a script uploaded > via FTP 'alterfile.php' (www-clients.www-data) cant change/delete the > generated file 'test.txt'. > i have setup the users etc up like that as the users FTP into a directory: > /www/www.exmaple.com/, in that dir there are: backups/, htdocs/, logs/, > statistics/, ssl/. they can read everything, but only write to htdocs/. > Does anyone have any suggestions on how to get around the above problem? > How do i allow users to create files (with PHP) with the user of www-data, > but still restrict some other directorys from writing? I ended up giving each user (or set of users who've got permissions to a set of sites) their own group, and chmodding all the directories to be 'sticky-group' with www-data added to each group. That way Apache can read all files, and the users can only read/write their own files. I'm also using open_basedir in the apache config to keep the users locked in their own tree. What it doesn't buy me is safety from apache exploits on one site affecting all other sites. This is a woody box with apache 1.3, but I plan to move to sarge with apache2 + suPHP or similar once all my customers have cleared the PHP 4.1.2 => 4.3.1 upgrade. I haven't figured out a nice way to have the users control Apache's write permission to their tree though, which is the ultimate goal. Maybe one day I'll rebuild the machine with SELinux. ^_^ -- ----------------------------------------------------------- Paul "TBBle" Hampson, MCSE 8th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) Paul.Hampson@Anu.edu.au "No survivors? Then where do the stories come from I wonder?" -- Capt. Jack Sparrow, "Pirates of the Caribbean" This email is licensed to the recipient for non-commercial use, duplication and distribution. -----------------------------------------------------------
Attachment:
pgpq1YZFIgWW4.pgp
Description: PGP signature