On Tue, 13 Feb 2001, Derek Sivers wrote:
> Can anyone think of any downside to this idea?
>
> Set Apache to run as user/group "www:www"
>
> Set ownership of PHP files and folders to "www:www"
> And set permissions to 700
> So that ONLY Apache can read them.
>
> Now - even if I give someone shell access to my box, or someone finds my
> personal login password, they still can't read my PHP passwords to MySQL.
>
> (Of course I'd have to be user "www" when uploading changes/files to the
> website.)
>
> Any other paranoid people tried this?
> Any downside to it?
Yeah ... I can create a .php script to read anything that is www
owned, and then just run that using a webbrowser... It'll have www
permissions just like your programs do.
Unfortunatly in a multi-user, php-module mode enviroment, making
.php files secured from other users on the box is a near impossibility.
Your best bet is to run php as a CGI program and use Apache's suExec
functionality. This way you can keep all your php files under your login
id's ownership.
--Steve
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
