[thelist] Setting correct and secure permissions for session files and logs

Andy Warwick mailing.lists at creed.co.uk
Tue Sep 10 03:27:01 CDT 2002

(Apologies if this appears twice; sent it from the wrong email address so a
copy is queued by the moderators for manual approval. Hopefully they won't
re-post it now I have... If they do I'll tip.)

I'm setting up a PHP script on my ISPs web server and would like to create
some log and session files within my web space that only I and the web
server can use. The current set up is:

--- logs
--- public_html
------ index.php
--- sessions

At the moment all the files and directories are set with

drwxr-xr-x    myuid    telnet

The web server is running as nobody/nobody.

>From a position of relatively newbie UNIX knowledge, I reckon most secure
for the logs and sessions folder would be:

Drwxrwx---   myuid   nobody

I.E. the directories are owned by me, but are part of the web server's group
so it has read/write access.

Problem is that I can't chown the directory to be part of the 'nobody' group
because I'm not a member of that; I'm only a member of 'telnet'.

What are the security ramifications of making everyone in the telnet group
part of the nobody group? I figure this would end me up exactly where full
permissions on the directories would - everyone can get in and read the logs
and sessions.

Is there a 'best practice' solution for this?

What is the lists' suggested settings for session and log folders so that
myself and the web server can read/write/examine the files in a folder,
while locking out every other user on that shared server.

Is it even possible?


Andy W

More information about the thelist mailing list