Re: [PHP] web server and permissions

Wed, 20 Nov 2002 13:46:38 -0800 

At 19:49 20.11.2002, Dennis Gearon said:
--------------------[snip]--------------------
>Please B/CC me, thank you.
>
>I am on a site that has all the files in both the /home/sitename/www/ 
>directory and a directory 
>we'll call /home/directory/includes/ with the following permisssions:
>
>     rwxr-x--r
>
>The group I have in /etc/group does not have anyone in it, including me.
>
>The server reads everything fine and the php engine can include fine from the 
>/home/sitename/includes/ directory.
>
>The problem is, everyone else on the site can read the includes directory as 
>well, including my 
>database password file which get's included.

You should set the owner and group of the includes directory correctly,
additional to the file permissions.

If you want only apache (and PHP) to be able to read from the includes
directory, and only you may add/modify, you should (assumed dgearon is your
username):

    chown dgearon:apache /home/sitename/include/.
    chown -R dgearon:apache /home/sitename/include/*
    chmod 750 /home/sitename/include/.
    chmod -R 640 /home/sitename/include/*

This will make your account the owner of the directory and all files, and
the group "apache" the owning group. Only the owner may list and modify the
directory and files, and only the owner and the owning group may read the
directory and its files. All others are blocked access.

>What I would like to set up is:
>
>       [1] the apache/php engine can include from the
>               includes directory, but not just spit it out.
>               I think that is taken care of by the
>               .htaccess file already.

See my comment above

>       [2] the apache/php process is in my group,
>               and everything I want to go out has
>               the group permissions set to rwx--r---
>               (do php/html/inc files also have to be
>               executable to be serverd?)

no, they are read by the web server, not executed

>       [3] 'everyone' does not have the ability to read
>               my files on myserver. 

set the last permission number to zero (see above). The last number stands
for "world" which means all others that are not owner or ownergroup.



-- 
   >O     Ernest E. Vogelsinger
   (\)    ICQ #13394035
    ^     http://www.vogelsinger.at/



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to