I have a requirement like this:
- the php script should be runnable by httpd user only.
- the php script will include other files.
- the php script should run as the user.
- the user must not be able to access the source code
of the scripts.
What I can think of so far:
Put the script in a directory only accessible by the
httpd user (www), e.g.:
# mkdir -p /home/app
# cp script.php /home/app
# chown root.www /home/app
# chmod 550 /home/app
# chown root.root /home/app/script.php
# chmod 555 /home/app/script.php
So script.php is safe from the user (except when somehow
the user manages to get its current directory changed to
/home/app, where then she can take script.php easily).
To prevent the user getting her hands to the script.php
via www user, I set the Apache configuration:
Options SymLinksIfOwnerMatch
to prevent the user linking to /home/app or
/home/app/script.php (unless the user can trick www or
some other privileged user to create the link for her).
and makes sure that Apache only runs wrapped CGI scripts,
and php runs as a cgi binary and not server module.
Now I just need to make sure that:
1) user cannot trick script.php to read and display itself
out to the browser, or copy itself to some public
directory.
2) user cannot trick other root processes to read
script.php for her.
Is there a better alternative?
Regards,
Steve
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
