trq Posted May 19, 2008 Share Posted May 19, 2008 Setting up a server, the vhost looks something like (off the top of my head).... <VirtualHost *> ServerName live.foo.com Alias /storage/content/live /uploads ServerRoot /var/www/htdocs/live/www </VirtualHost> (more to it than that but anyway...) Now, my main issue is with permissions. Within /storage/content/live the are hundreds of directories designed to hold client media files (images and pdf's mostly) the actual contents for each client is within postgres (this is a large cms hosting multiple clients, a few hundred presently). My main issue is the permissions to apply to these directories. Clients need to be able to upload to these directories, so one would assume they need to be writtable by the apache user (apache), however, is this not dangerous? What can I do to avoid it or is this simply the way I need to go? Quote Link to comment https://forums.phpfreaks.com/topic/106315-general-security-concerns/ Share on other sites More sharing options...
steviewdr Posted May 19, 2008 Share Posted May 19, 2008 My main issue is the permissions to apply to these directories. Clients need to be able to upload to these directories, so one would assume they need to be writtable by the apache user (apache), however, is this not dangerous? What can I do to avoid it or is this simply the way I need to go? Is it a dedicated server? Are there any other users of the same box/server? If not, then it will be fine to chown -r apache2:apache2 /var/www/htdocs/live (and chmod 600) after that. TBH, chmod 777 and the like only comes into effect if there are multiple users on a server, and or if there are some scripts which are poorly written. </two-cents> -steve Quote Link to comment https://forums.phpfreaks.com/topic/106315-general-security-concerns/#findComment-544901 Share on other sites More sharing options...
trq Posted May 19, 2008 Author Share Posted May 19, 2008 Yes its a dedicated box. There are a few users on the system, myself and a few (3) devs. Each has there own account. Each site also has an account and group, eg; live.foo.com = live_foo, stage.foo.com = stage_foo etc etc (Forgot to mention there are live, stage and dev versions of the site in place) and each of us users belong to those groups. Anyway, I think I'll chown -r live_foo:apache /storage/content/live and chmod 660. No client will ever have shell access. Just us four boys. Thanks for the clarification. Quote Link to comment https://forums.phpfreaks.com/topic/106315-general-security-concerns/#findComment-544940 Share on other sites More sharing options...
steviewdr Posted May 21, 2008 Share Posted May 21, 2008 Well if you trust the few users on that system your fine. What they could potentially do is: Create a php/cgi script which will copy all /var/www/htdocs and allow them to download the source code and see your mysql passwords. As php scripts run by the webuser, i.e. apache, then can access your files. Ideally if you trust/work with the other people, you might not mind too much. You could also disable php and cgi (and other scripts) by default for all users. So they can only run static html files etc. You could look into suPHP which is on apt also. It allows the webserver to "su" to the owner of the folder with the php file been accessed is in. -steve Quote Link to comment https://forums.phpfreaks.com/topic/106315-general-security-concerns/#findComment-546466 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.