PHP & Security nightmare.

[Alex Bolton]

I'm a dreamhost PS virtual private server user. Dreamhost PS is very generous in all aspects, apart from the fact that I don't get root (ick!). This is not actually so bad with my current configuration, except for one major flaw - for PHP to write to files I need group write permission set on that file, which of course is a horrible security concern.

At the moment my litespeed installation runs as a dedicated user "lenore_lsws" with the group "pg1184884". All my other users are also in the group "pg1184884".

Is there a better way to do this that does not involve using a privileged user (or moving to a new virtual dedicated provider, although I sadly might have to end up doing this)?

 

[mistwang]

Have you tried PHP suEXEC?

Or, if "Role based security" like selinux is available, you can let them to give write permission to all those file for user "lenore_lsws".

 

[Alex Bolton]

I believe suexec would not work as the litespeed user would have to be a super user.

My current idea for a work around is to create a secondary user group that both lenore_lsws and the users I want to have write permissions share, and then use a combination of setting write permissions for the new group and using umask (thanks to a dreamhost staff member for the suggestion) to help ensure that permissions are correct in the future. It's not the most elegant of solutions but it should work fine.

 

[mistwang]

Yeah, that's true. suEXEC need root.

suEXEC is the best solution, maybe let dreamhost admin install web server as root, give you a sudo permission to start the web server as root.

 

[Alex Bolton]

suEXEC is the best solution, maybe let dreamhost admin install web server as root, give you a sudo permission to start the web server as root.

I'll ask them, I don't think they will do that for me - but it can't hurt to ask. Thank you for your help mistwang