Solved

permissions on file in directory for apache to use but not user to see

Posted on 2004-04-04
9
316 Views
Last Modified: 2010-04-20
i have some files in a directory and i would like to hide the php code from the user who logs in via ftp.

he has permissions for everything but writing to his home directorys php files which i wrote.
he can still read them but as soon as i chmod them to no read the website says access forbidden, im guessing that apache needs some type of special read permissions.


also is there a way too if someone makes a php file and uploads it that it cannot read the other php files i wrote.

heres the current directory permissons on the php files
-rwxrwxr-x    1 jasonb   jasonb       6496 Feb 24 04:06 index.php
-rwxrwxr-x    1 jasonb   jasonb       2541 Feb 19 01:06 leftsideframe.php
-rwxrwxr-x    1 jasonb   jasonb        492 Feb 19 01:06 main.php
-rwxrwxr-x    1 jasonb   jasonb       5320 Mar  4 03:23 markfunctions.php
-rwxrwxr-x    1 jasonb   jasonb       4890 Feb 19 01:06 new.php
-rwxrwxr-x    1 jasonb   jasonb       8876 Mar  5 01:04 orderprints.php
-rwxrwxr-x    1 jasonb   jasonb       1408 Feb 24 04:06 pagevisit.php
-rwxrwxr-x    1 jasonb   jasonb       1406 Feb 19 01:06 rightsideframe.php
-rwxrwxr-x    1 jasonb   jasonb       3704 Mar  4 03:24 setupcontactsheets.php
-rwxrwxr-x    1 jasonb   jasonb       5875 Feb 19 01:06 test.php
0
Comment
Question by:aot2002
  • 5
  • 4
9 Comments
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10751465
With what user id / group id is your Apache server running? Once you know that, use this information to change the owner and/or group for your PHP files and make sure that you don't give any rights to the world. Let's say, your server runs as "wwwrun". You can protect your PHP files by using these commands:

chown wwwrun *.php
chmod 700 *.php

I don't think you can prevent other PHP files from accessing your PHP files. Once they are started, they run under the same user ID, and can therefore access these scripts.

0
 
LVL 1

Author Comment

by:aot2002
ID: 10752863
>>Once they are started, they run under the same user ID, and can therefore access these scripts.

Yea but isnt it true that if that user uploads the files he doesnt have access to apache
or can i prevent him from accessing anything that apache does.

0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10753359
I don't understand your question. If a user uploads a .php file, and your server is configured so that it executes .php files in the user's home directory, the Apache process can potentially access your php files and get access to the scripts. Unlikely, but not impossible.
0
Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

 
LVL 1

Author Comment

by:aot2002
ID: 10754572
but would it also be true the user would upload and his username would be marked as the owner of the file !

if he is the owner and he doesnt have permission then how can he execute a script?
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10755916
The owner of the file is not important, it's the execute permissions that will cause the problem.
0
 
LVL 1

Author Comment

by:aot2002
ID: 10756161
what if he doesnt have file changing permissions ?
basically he can upload but not change file permissions?

Is this possible?
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10756549
How do your users upload files to the server?
0
 
LVL 1

Author Comment

by:aot2002
ID: 10760409
ftp   im running vsftpd
0
 
LVL 44

Accepted Solution

by:
Karl Heinz Kremer earned 30 total points
ID: 10762527
The ftp protocol does allow to modify the file mode on the server. You have to make sure that your user's directories are marked as not-executable on the Web server level. Apache does this with -ExecCGI in the Options command.
0

Featured Post

Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is the error message I got (CODE) Error caused by incompatible libmp3lame 3.98-2 with ffmpeg I've googled this error message and found out sometimes it attaches this note "can be treated with downgrade libmp3lame to version 3.97 or 3.98" …
How many times have you wanted to quickly do the same thing to a list but found yourself typing it again and again? I first figured out a small time saver with the up arrow to recall the last command but that can only get you so far if you have a bi…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question