Your other proposed solution results in the same situation, correct? No matter what, Apache needs read-access to any and all files, so no matter what PHP will have access to read any user's files. There's no way around that for a shared hosting situation that I know of...
If you remove the groups write privs, then PHP scripts can't really do any damage at least. Your solution doesn't work because the user "keith" could still do a "ls /home/shannon/public_html/" and get the directory listing (shannon's public_html directory is 0755, per your suggestion). Unless I'm missing something...? -- - Keith Palmer ke...@academickeys.com http://www.AcademicKeys.com/ On Thu, February 12, 2009 10:45 am, Uwe Laverenz wrote: > On Thu, Feb 12, 2009 at 09:39:18AM -0500, Keith Palmer wrote: > >> Thanks so much, this solution works really well! It doesn't lock users >> out >> of the entire system, but it does ensure that users can't view other >> user's files via SFTP/SSH, which is fantastic. > > This solution enforces the switch of all user directories to group "www", > which also means that any member of the group www gets access to these > directories. This would be even more dangerous if your webserver runs > with gid www and contains a php-module or something similar with a long > tradition of security problems. Sorry, but you really, really should not > do it this way. > > The sticky bit for group www on the public_html directories can be a good > idea, though. > > bye, > Uwe > _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"