Project

General

Profile

Actions

HowToSetupFastCgiIndividualPermissions » History » Revision 2

« Previous | Revision 2/39 (diff) | Next »
silverjam, 2006-02-26 17:17
....added some more.....


= Setup FastCGI and PHP with individual user permissions =

THIS IS A WORK IN PROGRESS!

''First of all: please notice that this how-to is only a suggestion on how to do this, so please don't blame anybody if you prefer to do things differently, or get mad customers, or whatever....''

''Note: This only works on *nix like operating systems. I don't know how to do this on Windows.''

Introduction

Running a website hosting service for individual users/customers requires some extra brain-work when you set up your web-server.

Basically, you give every user an individual (ordinary) user account on your web-server. The user then uploads her PHP script files to her own virtual host document root.

What we want to do, is to execute all PHP script files with the exact same user permissions as the user that manages the virtual host in question. If this is accomplished, you can be sure that none of your users will be able to browse through other users' PHP scripts.

Consider the following PHP script executed on a web-server without individual user permissions on PHP-scripts (please do not attempt to do this, since you might end up with the police knocking on your door!):

{{{
$filename = "/path_to_other_users_vhost_root/index.php";
$handle = fopen($filename, "rb");
$contents = fread($handle, filesize($filename));
fclose($handle);

echo $contents;
?>
}}}

This will read (and show) the source code of PHP script of some other user. The source code might contain passwords that gives access to that user's MySQL databases, or other interesting stuff. You could even make a PHP script that writes PHP script files to other user's virtual host directories!

This is the setup we want to get rid of!

What about PHP's built-in safe_mode

I will not say any bad things about PHP here, and you could probably just use PHP's built-in ''safe_mode'' features. (See the [http://www.php.net/manual/en/features.safe-mode.php safe_mode documentation at php.net] for a detailed description.)

However, if you rely on your operating system's build-in user permissions, you will be better off. (You can even combine the two, if you're completely paranoid.)

= Installation =

We assume that you already have Lighttpd installed, and installed PHP with FastCGI support. ([http://trac.lighttpd.net/trac/wiki/TutorialLighttpdAndPHP How to install PHP with FastCGI support])

1. Add users to the operating system

(This is only needed if you haven't added users yet.)

You must add a user account to the operating system for each user that you want to give separate user permissions, in order to deny access to other users' source code.

Let's assume that we need to create three users (fred, george, and ron):

{{{
  1. useradd fred
  2. useradd george
  3. useradd ron
    }}}
2. Add user groups to the operating system

You need to add one user group for each user added above. To keep things simple, we just name the user groups similar:

{{{
  1. groupadd fred
  2. groupadd george
  3. groupadd ron
    }}}

Now you need to add users to each of these user groups. For each user group, there must be two members: the corresponding user and the lighttpd daemon user.

You configure the user groups by editing /etc/group with your favourite text editor.

The file must look something like this (group numbers may vary):

{{{
..... [lots of stuff above]
fred:x:441:fred,lighttpd
george:x:442:george,lighttpd
ron:x:443:ron,lighttpd
}}}

''...to be continued...''

Updated by silverjam almost 19 years ago · 2 revisions