Unix权限，读取与执行（PHP上下文） [英] Unix permissions, read vs. execute (PHP context)

问题描述

我有一个需要连接数据库的php脚本。数据库的凭据存储在另一个PHP脚本中。

I have a php script which needs to connect to a database. The credentials for the database are stored in another php script.

如果我将凭证文件的权限设置为661，以便Public具有执行权限但不具有读取权限，这允许主脚本访问凭据并连接到数据库，同时防止服务器上有用户帐户的人查看凭证文件的内容？

If I set the permissions for the credentials file to 661 so that Public has execute permission but not read permission, does this allow the main script to access the credentials and connect to the DB while preventing someone with a user account on the server from viewing the contents of the credentials file?

我猜我对阅读和执行之间的区别感到困惑。 PHP脚本（作为www或类似的东西运行）是否需要读取权限才能包含另一个PHP脚本并使用其中的任何内容？还是只需要执行？读取权限是否隐含地赋予执行权限？

I guess I'm confused as to the distinction between read and execute. Does a php script (running as www or something similar) need read-permission to include another php script and use any content inside? Or does it just need execute? Does read permission implicitly give execute permission?

子问题：如果我将所有脚本设置为只具有执行权限而不读取，那么我是否应该有任何陷阱？这假设我将保留任何我需要显式读取权限（数据文件）设置为读取的文件。

Sub-Question: If I set all of my scripts to only have execute permission and not read, are there any pitfalls I should expect? This is assuming that I will leave any files I need explicit read permission (data files) set to read.

推荐答案

至于对于文件而言，执行权限与您无关 - 您的Web服务器运行的用户帐户需要访问和读取相关文件的权限。为了遍历目录，用户还需要该目录的执行权限。

As far as files are concerned, execute permission is irrelevant to you - the user account your web server is running under needs permission to access and read the files in question. In order to traverse into a directory, the user will also require execute permission on that directory.

如果你试图使你的脚本可以被web服务器读取（让我们说你运行的是属于www组的帐户www，而不是系统上的其他用户，这就是我要做的（假设你的帐户是myuser）：

If you are trying to make your scripts readable by the web server (let's say you're running as the account "www" which belongs to group "www"), and not by other users on the system, here's what I would do (assumes your account is "myuser"):

# Change owner to "myuser" and group to "www" for file(s) in question
chown myuser:www config.php

# 640: myuser has rw-, www has r--, world has ---
chmod 640 config.php

如果你想阻止世界读取秘密目录中的任何文件，只需禁用执行位：

If you want to prevent the world from reading any file in a "secrets" directory, just disable the execute bit:

# 750: myuser has rwx, www has r-x, world has ---
chmod 750 secrets

如果您将所有脚本设置为具有执行权限但没有读取权限，则没有人可以对它们执行任何有用的操作（包括网络服务器）; - ）

If you set all your scripts to have execute permission but not read permission, nobody can do anything useful with them (including the webserver) ;-)

这篇关于Unix权限，读取与执行（PHP上下文）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！