HowToSetupFastCgiIndividualPermissions » History » Revision 1
Revision 1/39
| Next »
silverjam, 2006-02-25 20:43
First draft
= Setup FastCGI and PHP with individual user permissions =
THIS IS A WORK IN PROGRESS!''First of all: please notice that this how-to is only a suggestion on how to do this, so please don't blame anybody if you prefer to do things differently, or get mad customers, or whatever....''
''Note: This only works on *nix like operating systems. I don't know how to do this on Windows.''
IntroductionRunning a website hosting service for individual users/customers requires some extra brain-work when you set up your web-server.
Basically, you give every user an individual (ordinary) user account on your web-server. The user then uploads her PHP script files to her own virtual host document root.
What we want to do, is to execute all PHP script files with the exact same user permissions as the user that manages the virtual host in question. If this is accomplished, you can be sure that none of your users will be able to browse through other users' PHP scripts.
Consider the following PHP script executed on a web-server without individual user permissions on PHP-scripts (please do not attempt to do this, since you might end up with the police knocking on your door!):
{{{
$filename = "/path_to_other_users_vhost_root/index.php";
$handle = fopen($filename, "rb");
$contents = fread($handle, filesize($filename));
fclose($handle);
echo $contents;
?>
}}}
This will read (and show) the source code of PHP script of some other user. The source code might contain passwords that gives access to that user's MySQL databases, or other interesting stuff. You could even make a PHP script that writes PHP script files to other user's virtual host directories!
This is the setup we want to get rid of!
What about PHP's built-in safe_modeI will not say any bad things about PHP here, and you could probably just use PHP's built-in ''safe_mode'' features. (See the [http://www.php.net/manual/en/features.safe-mode.php safe_mode documentation at php.net] for a detailed description.)
However, if you rely on your operating system's build-in user permissions, you will be better off. (You can even combine the two, if you're completely paranoid.)
''...to be continued...''
Updated by silverjam almost 19 years ago · 1 revisions