[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Apache + PHP and user permissions


I'm helping someone to install a webserver, and we're trying to make it
a little secure. It's a Woody with Apache 1.3.26 and PHP 4.1.2. For the
users we have a ProFTPd with mod_sql (the users are in the database).

Currently all the site are set to user www-data and when the user access
with the FTP they are chrooted to their directory. My friend want me to
activate quota for every site. So I think I must set each site with a
real user as owner of the files. But with this, as Apache is launched as
www-data, users must set their directory to 701 and files to 604, I'm
right ? But in PHP, if they try to access other files from other usrers
with eventually some password... they are able to.

What kind of security can I use to avoid this ? Can we chroot the PHP
(Yes I know it's a strange sentence :) ?

Thanks to help me, and sorry for my (very) bad english.

StarK - Abris 13 - Confrérie Dioxygen
IRCNet : #O2
stark@abris13.org / stark@dioxygen.net
abris13.org / http://www.dioxygen.net/

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: