dso (mod_php) and FTP/File permissions

Question

I'm a bit baffled here. But it might just be my lack of experience.

I have setup PHP DSO (mod_php) and my server runs smoothly and stable. The issue is, though, that in order to run php with includes and everything, I had to set all user account files (/home/*/public_html/*) owner to nobody:nobody.

This introduces two questions for me: - Is this really necessary? I'd rather have them user:user - What about FTP? If I upload files using FTP, they're owned by user:user so they can't be included in another php file (throws errors). Files that are owned by nobody:nobody can't be modified through ftp..

FYI: I also have SuEXEC enabled. Should I disable this?

FYI2: I know I could set all permissions to 777, but that's just wrong.

Thanks a lot!

Look at [this answer](http://stackoverflow.com/questions/4453078/how-can-i-tell-apache2-run-mod-php5-by-default-but-run-this-vh-in-cgi-mode/4453201#4453201). It's pretty much what I would have answered here. ([Or this](http://stackoverflow.com/questions/4711609/running-exec-as-a-different-user/4711677#4711677)). — Linus Kleen, Mar 10 '12 at 10:27
Thanks, but I switched to DSO from SuPHP because I want to use opcache (eAccelerator). I really need to know what the permissions ought to be. — eleven59, Mar 10 '12 at 10:30
In that case you can only have *one* distinct user acting out and running PHP. I don't know which distro you're running, but each generally introduces a group (Debian: `www-data`) under which Apache workers are running. You might want to change the current group Apache is running under (apparently "nobody") to something commonly shared across all users and have the corresponding PHP files set to at least `rw-r-----` - or `0640`. — Linus Kleen, Mar 10 '12 at 11:39

score 0 · Accepted Answer · answered Mar 10 '12 at 10:26

0

Ordinary "nobody" should only read executing files, and write/own only files that can be changed by php. Most files owner should be your ftp user.

Bad practice to keep php rights to change executable files.

Also if "nobody" has rights to run as root it provides php (and therefore users) all his rights.

answered Mar 10 '12 at 10:26

Electronick

1,122
8
15

I don't understand what you're saying. Could you rephrase this? – eleven59 Mar 10 '12 at 10:31
do you understand, that in most cases php (running as nobody) should only read php-files to run your app? – Electronick Mar 10 '12 at 10:44
Yes. But my question was about _what_ permissions and owner I have to set on PHP files, not on _which_ files. – eleven59 Mar 10 '12 at 11:07
ok, set permissions 644 for php files and switch owner to ftp-user – Electronick Mar 10 '12 at 11:10

dso (mod_php) and FTP/File permissions

1 Answers1