Posted by Brett on 05/10/05 19:14

Hi,

I've written a web based file manager using PHP and running on
an apache 2 server. Before putting it on a live webserver i'd like to get
some security suggestions.

Desired Goals:

1. Read, write text files from a web browser.
2. Files should be owned by me so as not to be readable\writable to other
webserver users or their scripts.

Will running in safe mode allow my file manager to read\write files as
"me" and not as "apache" or the UID of apache?

If i keep my data directory outside of apache's document root, will this
prevent remote viewing of it?

If i keep my PHP scripts out of document root, will they be hidden from
remote viewers?

My likely webtree directory strutcure is this:


Document Root:

/var/www/html/myWebsite

PHP Scripts:

/var/www/php/myWebsite

My data the file manager will access:

/var/www/data/myWebsite

All three directories will be owned by my user id. Apache will be
configured to run scripts from the scripts dir. The data dir will be
opened with open_baseDir. I will set up .htaccess on the data directory.

Combine this with safe mode, and will i have the desired effect?

Thanks,
-brett

[Back to original message]