Re: [PHP] Permissions set on php script question

[Bojan Tesanovic <btesanovic@xxxxxxxxx>]

If your web-server is setup to read files with .php extension   
through PHP engine (it is I guess)
than no body from outside (using HTTP)  can't read content of  
original PHP file only the output of that particular script.

The only concern you may have is that somebody else on that server  
can read that file.
Eg anybody who can login to server can read all your files with  
permission set to read on 'other'

On May 12, 2008, at 11:37 PM, David Jourard wrote:

> Bojan Tesanovic wrote:
> > Heh you are really new to Linux
> >
> > permissions on linux are set per user/group/other bases
> >
> > so for most secure set permissions to read only for web-server user
> > so
> > chown 'webserveruser' file.php
> > chmod 400 file.php
> >
> > make sure you have root access at server so you can change that file
> >
> > or make a group for web-server as your group and set read  
> > permissions on group level
> > chmod 440 file.php
> Thank-you
>
> But most web sites are virtually hosted and do not have root access  
> to set this up.
>
> Most people just take the package and install with default masks.
>
> So again I ask:
>
> Are there are any security concerns when the read permission
> is set on other.  ie Couldn't one write a program to remotely read  
> the contents of the file.
>
>   Wouldn't it be better if the read permission was set for
> user only and the php engine
> could run the program as user like one can do for cgi using suEXEC.
>
> Again thanks
>
> David J.

Bojan Tesanovic
http://www.carster.us/