Quote:
|
Originally Posted by fhltang
Without phpsuexec, there was a relatively simple mechanism - namely that of the OS's file permissions system - to be able to sandbox php applications [edit: sandbox it from *my* files, rather than other people's www files]. For example, by simply making sure my mail folders are owned by me:mail and have 660 perms, I have a fairly reasonable guarantee that any process running as nobody (i.e. php apps in a pre-phpsuexec era) won't be able to read or write to them.
|
PHPsuExec involves PHP only. It does not deal with Mail. Mail ownership (inbox) remains "me:mail" [user:group] with 660 permissions.
- 6xx -> me; read and write.
- x6x -> mail; read and write.
- xx0 -> world, nobody, 99; gets to do nothing.
PHPsuExec does not affect: apache, perl, ruby, OS, etc. --- only PHP. Since PHP cannot execute higher than the public_html folder, it cannot mess with any of those files.
Any files within the public_html directory and subdirectories that do not have a PHP executable extension (.php, .phtml, etc.) also are not involved and can be given any permission you want as long as it has at least a read bit, minimum 444, ie., a 444 .jpg will read and display in a browser but not even the user can overwrite with a PHP script.
If you need to write to a file it has to have a user write permission (6xx) and owned by the user and have a group of the user.