Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What methods exits to restrict which directories a user may browse on the filesystem. I want to prevent php scripts from being able to view system files. I've seen two solutions, but neither are satisfactory:
Chrooting a directory that the script is in, but this requires that all the necessary php libraries/files are moved/copied into the right place relative to the chroot directory. I don't feel that I have the technical ability to achieve this.
Putting php into safe mode and disabling *nasty* php functions. But this is ineffective if just one obscure *bad* php function is missed.
Hi, and thanks for the response. Are you suggesting that I chomod the whole file system "chmod -R o-rwx"? Wouldn't this break stuff?
Basically if you created a new user, could you deny the whole filesystem to that users, everything under / accept for one specific location, say /var/www/http_docs
Like I said in my original post, I'm not confident to set up a chroot gaol with all the nessesary php files inside.
method 1(hard, though effective): chrooting PHP. described here and here.
method 2(easy): use open_basedir restriction.
method 3(easiest): chmod. To prevent other users from BROWSING(reading contents of directory) use chmod o-r. man chmod is a way to go.
Obviously its possible set the global read bit to 0 for every single file on the filessystem, but will this leave the machine in a working state? I would have thought that there are various bits and bobs that need the global read bit set on filesytem files in order to do their jobs properly.
Quote:
Originally Posted by Web31337
method 3(easiest): chmod. To prevent other users from BROWSING(reading contents of directory) use chmod o-r. man chmod is a way to go.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.