[thelist] PHP: mkdir and rmdir possible, but not chgrp, why?

deke web at master.gen.in.us
Fri Mar 23 00:41:49 CST 2001


On 22 Mar 2001, at 14:58, Tobyn Baugher wrote:

> *nod*. Apache runs as nobody/nobody by default and, for security
> reasons, that's the best way to leave it if you aren't completely sure
> you know otherwise.

I'd argue with that. 

Assuming that there are 200 websites on a hosting company's box,
if Apache runs as nobody.nogroup, then any directory *I* can write
to is also writeable by the other 199 websites.  Your CGIs should
run with the same permissions that you have when you SSH in to
use your shell account.

If you learn your hosting company has Apache running as nobody.nogroup, 
that's ample warning that they probably don't know what they are doing.
Web hosting is cheap. There's no reason to settle for incompetence.

<tip type="security">
It's OK to say "telnet" and it's OK to think "telnet"
but when it's time to actually DO "telnet", you really
should SSH instead. Telnet isn't secure.
</tip>

deke





--------
I got this powdered water. 
Now I don't know what to add. 
            -- Steven Wright




More information about the thelist mailing list