Mark Linvill wrote:
> >While I use AOLserver and not apache+php3, the concepts are similar:
> >
> >1.) The httpd run user (which should not be root, but some unprivileged
> >account, such as 'webserver' (in my case, it's actually 'aolserver'))
> >should own all html and php files necessary, with perms of 600 or 700.
> >
>
> No way I would ever(!) do this. If your http daemon can modify
> the files it should only be serving, and the daemon is "php aware"...
> *shudder*
Run with the php scripts read-only, then. In the case of AOLserver, the
tcl scripts are protected by AOLserver's own permission structures.
Again, I gave the caveat that my experience with php was extremely
limited, and that I was giving how I have things done with AOLserver,
which, IMO, is straightforward, simple, and secure.
With AOLserver's built-in tcl, no php is necessary.
Lamar Owen
WGCR Internet Radio
