(Suse 9.0, Apache 2.048, PHP 4.3.3 - all default install from SuSe ISO)
I have in my wwwroot folder (/srv/www/htdocs) a folder called counters.
I have embedded a page counter script into several of the webpages I
wrote/maintain.
ls -lias for htdocs, and below the one for htodocs/counters
5197 1 drwxr-xr-x 8 pjotr root 480 Aug 1 09:36
htdocs
131618 2 drwxrwxrwx 2 pjotr users 1592 Aug 3 17:23
counters
If I run the counter.php script from a browser (embedded) the counter txt
file is owned by the web server process:
131651 4 -rw-r--r-- 1 wwwrun www 2 Aug 3 13:41
test.counter.tx t
If I removed the rxw rights for other on counters, the script fails. So far
I get it, since wwwrun is not in group users.
But then i though, why not change ownership of counters to wwwrun, group to
www and remove rxw for all others.
So I gett
131618 2 drwxrwxrwx 2 wwwrun www 1592 Aug 3 17:23
counters
But even before removing rwx for others I get the following error when
running the counter script:
Warning: fopen(): SAFE MODE Restriction in effect. The script whose uid is
500 is not allowed to access /srv/www/htdocs/counters owned by uid 30 in
/srv/www/htdocs/counter.php on line 26
Tempting as it is to disable SAFE MODE I know that is probably not good
practice. What am I missing here ? I just don't get this.
Peraps my entire security setup is not good for this server. Do I have to
change ownership of the higher directories as well ?
I am not too happy about a directory writable and executable to all the
world. I can hardly imagine that is safe practice.
So any help appreciated.
TIA
Pjotr
I have in my wwwroot folder (/srv/www/htdocs) a folder called counters.
I have embedded a page counter script into several of the webpages I
wrote/maintain.
ls -lias for htdocs, and below the one for htodocs/counters
5197 1 drwxr-xr-x 8 pjotr root 480 Aug 1 09:36
htdocs
131618 2 drwxrwxrwx 2 pjotr users 1592 Aug 3 17:23
counters
If I run the counter.php script from a browser (embedded) the counter txt
file is owned by the web server process:
131651 4 -rw-r--r-- 1 wwwrun www 2 Aug 3 13:41
test.counter.tx t
If I removed the rxw rights for other on counters, the script fails. So far
I get it, since wwwrun is not in group users.
But then i though, why not change ownership of counters to wwwrun, group to
www and remove rxw for all others.
So I gett
131618 2 drwxrwxrwx 2 wwwrun www 1592 Aug 3 17:23
counters
But even before removing rwx for others I get the following error when
running the counter script:
Warning: fopen(): SAFE MODE Restriction in effect. The script whose uid is
500 is not allowed to access /srv/www/htdocs/counters owned by uid 30 in
/srv/www/htdocs/counter.php on line 26
Tempting as it is to disable SAFE MODE I know that is probably not good
practice. What am I missing here ? I just don't get this.
Peraps my entire security setup is not good for this server. Do I have to
change ownership of the higher directories as well ?
I am not too happy about a directory writable and executable to all the
world. I can hardly imagine that is safe practice.
So any help appreciated.
TIA
Pjotr