Permission problem

Anon

I am running MySQL and Apache with Redhat 7.1. All my user put their homepage to public_html as usual. I got a problem about the permission setting of the php script.
I want to know what the exact permission should the php script be. I taught my users to use 644 for all the scripts. But I just got an email today saying that he got a script connecting to the database with 611 permission. It works fine but he finds that other user may telnet to the server and cat the script. As the php script contains his MySql password in plain text, other users can see it and causes a serious security problem. Please help.

Anon

sorry... i mean 644 not 611.

jeff wrote:

saloon12yrd

1) create a new group for web-using users and put them all there.
2) put your apache user (nobody) there as well.
3) chgrp all public_html directories to that group
4) chmod all public_html directories to 750

should do the trick.
besides... telnet is a bad idea if you're worried about security but that's offtopic here.

greets,

Dominique

Anon

I must provide access for my users. I agree that telnet is bad and it can be solved but close the telnetd and force them to use ssh. Anyway, that's not my concern. 😃

Back to the problem. Even if I create a group called, say, "webuser", the users of "webuser" can still ssh to the server and cat the script which does not below to him and see the plain database password in the php script. I just want to know how I can hide my database password but the other part can still works.

THANKX !

saloon12yrd

ah yeah the non-chroot problem... sorry 🙂

hm do the users really need ssh/telnet? if not you could set up a ftponly chrooted environment for them.
if they need interactive access to that machine... i know that chrooted ssh environments are possible, no idea if they're possible for telnet though.

another (unelegant) solution would be to put every web-using user in a group of its own and put the apache user there as well.
then you could chmod the public_html directory to 750 again and would be fine.

each user would be allowed to walk freely along the filesystem with the sole exception of other users public_html directories.

hmm not nice but easy to set up... decide for yourself.

Dominique