Greetings, I have a concern here. I followed instructions found on this forum on how to install suPHP. As far as I can tell, it works. I can view my sites, and I haven't been able to fully test it out. My concern however is that I still require permissions of 755 for my php scripts. This leaves mySQL db passwords readable, in turn compromising security to any legit users of the box or a low security user being cracked. I don't particularly enjoy this thought and would like to protect against it. I know it's not standard security. Now, I've stopped people from being able to read the directories. So unless you know its there, there's nothing you'd logically do. However, we're talking about public websites. I've got two domains on my box, demortes.hopto.org and tassault.servegame.com. tassault is under one user, and of course demortes.hopto.org is under a different user. Multiple people will be using tassault.servegame.com, and at this time all users I trust. You can obviously see, by visiting demortes.hopto.org, that it is a wordpress blog. So you know by default, the settings is located in the web root under wp-config.php. I can still "pwd" to get the present directory, assume the directory structure is the same for that user, and nano /var/www/web1/web/wp-config.php and see the mySQL DB user, databse and password. Once I have that, can do whatever I want to the mySQL DB. How do I prevent this in, if not in ISPConfig, then perhaps in my ubuntu 9.10 box. Any assistance and advice is greatly appreciated. Demortes P.S. I've read about jailing people into their home directories and whatnot, but this then blocks needed programs like make, nano, and even uptime from the enduser, which I have need for.
No, thats not the case. As php scripts will be accessed by the website user, you just have to chown the files to the user and group of the website and then change the permissions to e.g. 750.
So is it an indication that my suphp isn't working right if the site refuses to display with anything other than 755? It is owned by the user. Thanks for the response.
It depends on the files. PHP files can be chowned 750 while .html files, folders and images must be world readable. Create a php script thats writes a file to disk and then check which user is the owner of this new file to cjheck if suphp works correctly.
The file is owned properly. So why won't the site show without 755? And my break at work is over so I can't explore too much right now.
