Hi, the permissions of customers log directory is not very secure. the directory and logfiles are owned by root an are world readable. so one customer is able to read foreign logfiles via ftp or php-script. any ideas?
FTP access is only possible when you disable the ftp chroot, ssh user access is only possible when you create ssh users without chroot and access by PHP is only possible when you disable open_basedir or when you allow shell exec functions in php where open_basedir is not applied. The general problem is that the log files may not be owned by the website user as he shall not be able to delete them nor write data into them. so the only option might be to change owner to root + website group and grant the group only read access.
