Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

permissions on file in directory for apache to use but not user to see

Posted on 2004-04-04
9
Medium Priority
?
321 Views
Last Modified: 2010-04-20
i have some files in a directory and i would like to hide the php code from the user who logs in via ftp.

he has permissions for everything but writing to his home directorys php files which i wrote.
he can still read them but as soon as i chmod them to no read the website says access forbidden, im guessing that apache needs some type of special read permissions.


also is there a way too if someone makes a php file and uploads it that it cannot read the other php files i wrote.

heres the current directory permissons on the php files
-rwxrwxr-x    1 jasonb   jasonb       6496 Feb 24 04:06 index.php
-rwxrwxr-x    1 jasonb   jasonb       2541 Feb 19 01:06 leftsideframe.php
-rwxrwxr-x    1 jasonb   jasonb        492 Feb 19 01:06 main.php
-rwxrwxr-x    1 jasonb   jasonb       5320 Mar  4 03:23 markfunctions.php
-rwxrwxr-x    1 jasonb   jasonb       4890 Feb 19 01:06 new.php
-rwxrwxr-x    1 jasonb   jasonb       8876 Mar  5 01:04 orderprints.php
-rwxrwxr-x    1 jasonb   jasonb       1408 Feb 24 04:06 pagevisit.php
-rwxrwxr-x    1 jasonb   jasonb       1406 Feb 19 01:06 rightsideframe.php
-rwxrwxr-x    1 jasonb   jasonb       3704 Mar  4 03:24 setupcontactsheets.php
-rwxrwxr-x    1 jasonb   jasonb       5875 Feb 19 01:06 test.php
0
Comment
Question by:aot2002
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10751465
With what user id / group id is your Apache server running? Once you know that, use this information to change the owner and/or group for your PHP files and make sure that you don't give any rights to the world. Let's say, your server runs as "wwwrun". You can protect your PHP files by using these commands:

chown wwwrun *.php
chmod 700 *.php

I don't think you can prevent other PHP files from accessing your PHP files. Once they are started, they run under the same user ID, and can therefore access these scripts.

0
 
LVL 1

Author Comment

by:aot2002
ID: 10752863
>>Once they are started, they run under the same user ID, and can therefore access these scripts.

Yea but isnt it true that if that user uploads the files he doesnt have access to apache
or can i prevent him from accessing anything that apache does.

0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10753359
I don't understand your question. If a user uploads a .php file, and your server is configured so that it executes .php files in the user's home directory, the Apache process can potentially access your php files and get access to the scripts. Unlikely, but not impossible.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 1

Author Comment

by:aot2002
ID: 10754572
but would it also be true the user would upload and his username would be marked as the owner of the file !

if he is the owner and he doesnt have permission then how can he execute a script?
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10755916
The owner of the file is not important, it's the execute permissions that will cause the problem.
0
 
LVL 1

Author Comment

by:aot2002
ID: 10756161
what if he doesnt have file changing permissions ?
basically he can upload but not change file permissions?

Is this possible?
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10756549
How do your users upload files to the server?
0
 
LVL 1

Author Comment

by:aot2002
ID: 10760409
ftp   im running vsftpd
0
 
LVL 44

Accepted Solution

by:
Karl Heinz Kremer earned 120 total points
ID: 10762527
The ftp protocol does allow to modify the file mode on the server. You have to make sure that your user's directories are marked as not-executable on the Web server level. Apache does this with -ExecCGI in the Options command.
0

Featured Post

Enroll in September's Course of the Month

This month’s featured course covers 16 hours of training in installation, management, and deployment of VMware vSphere virtualization environments. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Fine Tune your automatic Updates for Ubuntu / Debian
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question