phpgroupware-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Phpgroupware-users] Help needed: Configuration quick reference cha

From: Izzy Blacklock
Subject: Re: [Phpgroupware-users] Help needed: Configuration quick reference chart...
Date: Sat, 05 Apr 2003 13:42:10 -0700
User-agent: KMail/1.4.3 
On April 5, 2003 10:51, Adam Hull wrote:
> This raises the neverending question of permissions. It has been reccommend
> numerous times to me that the phpgroupware directory and files not have x
> permissions. However, I have tested this and it does not work for me. this
> is true for the tmp directory as well
>
> Can anyone shed some light on this?
>
> what I reccommend is:
>
> phpgroupware 770
> header.inc.php 770
> files 660
> tmp 770
>
> with apache as group owner

I too am not sure on all this.  If I recall,  directories needs to be 
executable to be accessable.  Read only gives you the ability to list them, 
executable is needed to enter them.  Shouldn't tmp be 1777?

This document seems to do the best job of explaining things that I've seen so 
far, but I still have unanswered questions.

http://free-source.com/files/phpgw-howto.html#3.1 

If I understand this correctly, it's suggesting the phpgw tree should be owned 
by a normal user, no access rights are clearly indicated.  header.inc.php 
should be owned by apache with 400 rights. Files should be outside the phpgw 
directory with world writeable rights.  Everything else should be read only.

I've been doing the following:

phpgroupware 755 (root.root)
header.inc.php 400 (apache.root)
files 750 (apache.root)
tmp 1777 (root.root)

I do a chown root.root on all other files, but leave them with the rights they 
have out of the tar (I think 644 for files and 755 for dirs).  Initially I 
create an empty (touch) header.inc.php and make it 777 so that I can modify 
it with the setup tools.  Once it's been created, I change it as above.

The suggestion of moving the files dir to a location outside of apache 
directory areas is a good one.  It may be worth putting it on a partition of 
it's own that isn't mounted with executable rights at all (mount -o noexec).   
Wouldn't this avoid any possibility of a user getting malicious code onto the 
system and somehow running it.

Is there anything more/different that should be done to improve security?  
Anyone have suggestions from the point of view of a Windows install?
reply via email to
[Prev in Thread] Current Thread [Next in Thread]