> I want to keep their information on Mysql. That is, > if possible I don't want to create real system accounts. > > The problem is... using PHP, they can open any file > that is readable to nobody account (Apache user).. > So it can read and even edit other users' files.. > These two statements seem at odds with each other (to me anyway) .. if you're completely managing the user 'virtually' within mysql you could manage all your permissions and access within the database with sessions and a user id ... if on the other hand you are creating accounts on the system just with a nologin shell, then you're in a pickle with no real solution ... if the 'nobody' group needs read permission then you're correct that most anyone can read anyone else's work ... you're only real option is to create some kind of wrapper script for accessing the files that checks the db perms first.
BTW, there are *lots* of ISPs offering shell access (and web accounts) out there where this is an issue ... the entire /home tree is 0755 permed and user a can read/execute user b's stuff. .... even a 0750 doesn't fix it most of the time as the users share a common group ... I guess you could go with 0750, set uid=gid and then add 'nobody' to everyone's groups though ... ... enough, I'm just thinking out loud now. Hank -- Hank Marquardt <[EMAIL PROTECTED]> http://web.yerpso.net GPG Id: 2BB5E60C Fingerprint: D807 61BC FD18 370A AC1D 3EDF 2BF9 8A2D 2BB5 E60C *** Web Development: PHP, MySQL/PgSQL - Network Admin: Debian/FreeBSD *** PHP Instructor - Intnl. Webmasters Assn./HTML Writers Guild *** Beginning PHP -- Starts January 7, 2002 *** See http://www.hwg.org/services/classes -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
