| 1 |
Angel Freire wrote: |
| 2 |
> If VirtualHost A has some php files with an access mask like 777 (common |
| 3 |
> in hostings) and VirtualHost B 'guess' the VH A full dir it can trough |
| 4 |
> fopen or many other ways open these file. |
| 5 |
|
| 6 |
All I can say is, don't do this ever. It's better to use php-cgi with |
| 7 |
wrappers like suexec or cgiwrap. Also set homedirectories to sticky |
| 8 |
group flags and group to the group, apache is into. Don't add users to |
| 9 |
this group. Then they cannot write or read in these groups. |
| 10 |
2750 is the mode mask for homedirectories and 027 the umask for users. |
| 11 |
Then your provider should be safe and trustworthy. |
| 12 |
An alternative is, give users their own groups and add the apache user |
| 13 |
into these groups all. Then one doesn't need group sticky any more. |
| 14 |
Homedir flags should still be at 750. |
Archives