NYCPHP Meetup

[Cliff Hirsch]

well if apache is running as nobody, php is running as nobody (most likely)
and that's a case where I'd say you might want to reconfigure things so that
apache/php run as a different user. Most of the time when I've seen nobody,
there are lots of daemons running as nobody and it might not be a good idea
to have so much running as nobody (in case someone manages to hijack
something else that's running as nobody). Creating a user like www might
work, but as you know it all depends. Also, keep in mind that if you chown
stuff to a user that is not a login user and you have shell users that need
to edit those files you will run into a problem (but that's where group
perms really do come in handy).
> 
> My shared host chowns files that they want me to be able to edit to my shell
> user, with the group being a special group they have created for process
> segregation. For files they don't want me to edit (some special log files
> mostly), they chown those files to the segregated "apache user". On the
> servers at my office anyone who needs to edit files is also trusted with sudo
> rights (very few of us) so we can edit any file on the system regardless of
> who owns the file. If you are the only user you might not need to worry about
> that as much but (last time I promise...) it depends ;)
> 
> Again it's really only a problem if your PHP has to write to files on the
> system and not strictly to some mysql db, for example. As long as the php
> interpreter and apache (and of course, the world, that is - web browsers) can
> see the files you should be alright.
> 
> Hope it helps!
> 
> --Mike H
> 
Mike:

Many thanks. This was really helpful. My strategy is already formulating. A
brew or two and it will be solidified....
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20071016/a1d57d4f/attachment.html>