* Thus wrote Joachim ([EMAIL PROTECTED]): > Cpt John W. Holmes wrote: > > >> So in fact the script has to run with the rights of the user > >> web2?? > > Perhaps > >> it does, but files/dirs are create with owner apache. > > > > PHP runs as a module inside of apache, so any files it creates > > are owned by the Apache user. That's the way it works. > > > > If you run PHP as a CGI, this does not happen. Or use FTP to > > make files. > > And there is no other way? No way to configure it? Or, are there > any hacks/patches, workarounds? > > This way, it seems to me like security hole, because I have to > use 0777 while creating, then everybody could do everything with > the files. Well, there is the open_basedir setting, put then, > what's about other user doing other things (not PHP)? >
Yes that is a big security hole. There are some hosting solutions, I cant really help you there, but this concept I think should work would be: permissions: 0770 user/group: $virtualuser/apache where $virtualuser is the user's ftp login, shell access (if available). now only the user and the apache process (thus php) can write to it. the files are even locked out for anybody to see. Now with the combination of open_basedir, it should all be safe. I hope that puts you in the right direction, the above stuff is just a concept and not guaranteed Curt -- "I used to think I was indecisive, but now I'm not so sure." -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
