[thelist] Setting correct and secure permissions for session files and logs
Andy Warwick
andy.w at creed.co.uk
Mon Sep 9 23:42:00 CDT 2002
I'm setting up a PHP script on my ISPs web server and would like to create
some log and session files within my web space that only I and the web
server can use. The current set up is:
www.foobar.com
--- logs
--- public_html
------ index.php
--- sessions
At the moment all the files and directories are set with
drwxr-xr-x myuid telnet
The web server is running as nobody/nobody.
>From a position of relatively newbie UNIX knowledge, I reckon most secure
for the logs and sessions folder would be:
Drwxrwx--- myuid nobody
I.E. the directories are owned by me, but are part of the web server's group
so it has read/write access.
Problem is that I can't chown the directory to be part of the 'nobody' group
because I'm not a member of that; I'm only a member of 'telnet'.
What are the security ramifications of making everyone in the telnet group
part of the nobody group? I figure this would end me up exactly where full
permissions on the directories would - everyone can get in and read the logs
and sessions.
Is there a 'best practice' solution for this?
What is the lists' suggested settings for session and log folders so that
myself and the web server can read/write/examine the files in a folder,
while locking out every other user on that shared server.
Is it even possible?
TIA
Andy W
More information about the thelist
mailing list