阿帕奇不是让我进入属于其他用户的文件夹 [英] Apache not allowing me to enter folders belonging to other users
问题描述
我想建立PHP会话,suPHP(见<一href=\"http://stackoverflow.com/questions/9542263/need-help-implementing-php-sessions-in-suphp\">here).我需要有用户所拥有的我的PHP验证文件,这样当suPHP踢,将正确的用户这样做。不过,我也并不希望用户能够访问该文件,流就可以对其进行编辑刚刚返回true而不是实际检查数据库。
I am trying to set up PHP sessions for suPHP (see here). I need to have my php validation file owned by the user so that when suPHP kicks in, it will do so for the correct user. However, I also don't want the user to have access to that file, o.w. they can edit it to just return true rather then actually check the database.
我的第一次尝试这样的事情(如Apache运行于用户 www数据)
My first attempt was something like this (where Apache runs as user www-data)
/etc/validate
├── [drwx------ www-data ] user1
│ └── [-rwx------ user1 ] validate.php
/var/www/
└── [drwx------ user1 ] user1
└── [-rwx------ user1 ] index.html
然后让网页重定向到验证页面,这将验证,然后返回 /var/www/user1/index.html
RewriteCond %{REQUEST_URI} !^/xyz
RewriteRule ^(.*) /etc/validate/user1/validate.php?uri=$1
不过suPHP抱怨说,我在访问我的文档根目录以外的东西( /无功/网络/用户1 )。我不想设置文档根目录为 / 和更新 suphp.conf 文件,以便 check_vhost_docroot = FALSE ,不解决(我也不是为了解决这个问题)。所以,相反,我刚刚搬到的/ etc /验证到 /无功/网络像这样(这是一个有点乱,我知道了)
However suPHP complains that I am accessing something outside of my docroot (/var/www/user1). I don't want to set the docroot to / and updating suphp.conf file so that check_vhost_docroot=false, doesn't fix (and I don't it is meant to fix this). Therefore, instead I just moved /etc/validate into /var/www like so (it's a little messy, I know)
/var/www/
└── [drwx------ user1 ] user1
├── [-rwx------ user1 ] index.html
└── [dr-x------ www-data ] validate
└── [-rwx------ user1 ] validate.php
所以,现在的验证文件是
So now the validate file is
- 在文档根目录
- 已由user1所有
- 将user1的不可编辑
但现在,如果我尝试加载网页我收到以下错误
But now if I try to load the page I get the following error
Directory /var/www/user1/validate is not owned by user1
在这一点上,我失去了我的耐心,所以我只是坚持的另一个虚拟文件夹中有这样的文件结构看起来像这样
At this point I am losing my patience, so I just stick another dummy folder in there so the file structure looks like so
/var/www/
└── [drwx------ user1 ] user1
├── [-rwx------ user1 ] index.html
└── [dr-x------ www-data ] validate
└── [drwx------ user1 ] dummy
└── [-rwx------ user1 ] validate.php
现在,当我尝试加载网页,Apache的告诉我:您没有权限访问此服务器上的某某。其中, XYZ 是我的域名后,无论发生什么事。我不知道为什么Apache的告诉我,因为我的不可以试图访问尾随值作为一个文件/文件夹。我认为,重定向失败和Apache就假定它是失败的硬链接。
Now, when I try to load the page, Apache tells me "You don't have permission to access xyz on this server." where xyz is whatever comes after my domain name. I don't know why Apache is telling me that because I am not trying to access the trailing values as a file/folder. I think, the redirect is failing and Apache just assumes it is the hard link that is failing.
谁能告诉我什么,我做错了或能够编辑文件,prevent用户提供的另一种方式。它不能进入目录假,因为它的权限是的rwx ------ 只有 USER1 能 CD 进去。当我改变的权限从 0700 到 0755 ,就又回到suPHP错误。所以,现在的问题就变成了:我如何得到它时,舞台后方的一个目录中被其他人所拥有suPHP执行脚本
Can anyone tell me what I am doing wrong or provide an alternative way to prevent users from being able to edit their files. It could not get into directory dummy because its permissions were rwx------ and only user1 could cd into it. When I changed the permissions from 0700 to 0755, it went back to suPHP errors. So the question now becomes: how do I get suPHP to execute scripts when one of its upstage directories is owned by someone else?
编辑:我现在明白为什么阿帕奇抱怨。它不能进入
I realize now why Apache was complaining. It could not get into
推荐答案
我找不到任何官方链接,这一点,但根据的此网站:
I can't find any official link for this, but according to this site:
所有文件和放大器;目录必须由您的用户名所拥有,而不是人或其他名称/编号。如果它不属于你,suPHP会拒绝运行该脚本并产生一个内部服务器错误500。
All Files & Directories MUST be owned by your username, and not "nobody" or some other name/number. If it is not owned by you, suPHP will refuse to run the script and produce an "Internal Server Error 500".
我能理解文件,但我不认为有必要目录属于你。我已经找到了一个补丁在线(见这里),但是,我不知道,如果它还是不如我没有测试它。
I can understand files, but I don't see the need for directories to belong to you. I have found one patch online (see here), however, I don't know if it works or not as I have not tested it yet.
编辑:有一种方法可以让用户将他们的文档根目录以外的访问脚本(通过 suPHP_GlobalDocRoot )。我无法得到它的工作对我来说,阿帕奇声称它是一个语法错误。在任何情况下,即使它的工作,它仍然需要至少执行访问 0111 (也可能读 0555 )上的所有目录中的所有一路攀升到 / 。
There is a way to allow users to access scripts outside of their docroot (via suPHP_GlobalDocRoot). I can't get it to work for me, Apache claims it is a syntax error. In any case, even if it did work, It would still require at least execute access 0111 (and possibly also read 0555) on all the directories all the way up to /.
因此,我pretty信心有绝对没有解决我的问题。我为此接受这个作为答案。如果有人设法提供一个我将选择另一个答案。
Therefore, I am pretty confident there is absolutely no solution to my problem. I am therefor accepting this as the answer. I will select another answer if someone manages to provide one.
这篇关于阿帕奇不是让我进入属于其他用户的文件夹的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
