PHP & Security nightmare.

Discussion in 'PHP' started by Alex Bolton, Nov 10, 2008.

  1. Alex Bolton

    Alex Bolton Member

    I'm a dreamhost PS virtual private server user. Dreamhost PS is very generous in all aspects, apart from the fact that I don't get root (ick!). This is not actually so bad with my current configuration, except for one major flaw - for PHP to write to files I need group write permission set on that file, which of course is a horrible security concern.

    At the moment my litespeed installation runs as a dedicated user "lenore_lsws" with the group "pg1184884". All my other users are also in the group "pg1184884".

    Is there a better way to do this that does not involve using a privileged user (or moving to a new virtual dedicated provider, although I sadly might have to end up doing this)?
  2. mistwang

    mistwang LiteSpeed Staff

    Have you tried PHP suEXEC?

    Or, if "Role based security" like selinux is available, you can let them to give write permission to all those file for user "lenore_lsws".
  3. Alex Bolton

    Alex Bolton Member

    I believe suexec would not work as the litespeed user would have to be a super user.

    My current idea for a work around is to create a secondary user group that both lenore_lsws and the users I want to have write permissions share, and then use a combination of setting write permissions for the new group and using umask (thanks to a dreamhost staff member for the suggestion) to help ensure that permissions are correct in the future. It's not the most elegant of solutions but it should work fine.
  4. mistwang

    mistwang LiteSpeed Staff

    Yeah, that's true. suEXEC need root.

    suEXEC is the best solution, maybe let dreamhost admin install web server as root, give you a sudo permission to start the web server as root.
  5. Alex Bolton

    Alex Bolton Member

    I'll ask them, I don't think they will do that for me - but it can't hurt to ask. Thank you for your help mistwang :)

Share This Page