I have a web app on a linux shared hosting machine. Lets say I have a .htpasswd
file, some configs that store a database password and generally don't want people snooping through my source code looking for vulnerabilities.
The webserver (apache) needs read access (and write in some cases) to the above files. However I don't want other people on the same shared host to have access.
I've never quite understood how this is supposed to work. The question here is similar but seems to point more at stopping the web app from hosting a passwords file accidentally.
AFAIK, all I have to work with is basic linux permissions. On one server, I'm expected to give "others" permissions for apache. Then removing the group permissions, that all other users are in, denies them access. This seems pretty roundabout. On another server there's a nobody
group set on public_html
with only group permissions set.
One concern is that if the apache user has access to my files, a simple script could be written and executed to gain access by another user:
header("Content-Type: text/plain");
include $_GET['f'];
?>
TLDR: I need apache to have access to the source files and passwords, but not other users on the same machine (excepting admins ofc).
What is a common setup?
Related questions:
No comments:
Post a Comment