Apache + PHP and user permissions
I'm helping someone to install a webserver, and we're trying to make it
a little secure. It's a Woody with Apache 1.3.26 and PHP 4.1.2. For the
users we have a ProFTPd with mod_sql (the users are in the database).
Currently all the site are set to user www-data and when the user access
with the FTP they are chrooted to their directory. My friend want me to
activate quota for every site. So I think I must set each site with a
real user as owner of the files. But with this, as Apache is launched as
www-data, users must set their directory to 701 and files to 604, I'm
right ? But in PHP, if they try to access other files from other usrers
with eventually some password... they are able to.
What kind of security can I use to avoid this ? Can we chroot the PHP
(Yes I know it's a strange sentence :) ?
Thanks to help me, and sorry for my (very) bad english.
StarK - Abris 13 - Confrérie Dioxygen
IRCNet : #O2
firstname.lastname@example.org / email@example.com
abris13.org / http://www.dioxygen.net/
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com