Apache 不允许我输入属于其他用户的文件夹 [英] Apache not allowing me to enter folders belonging to other users
问题描述
我正在尝试为 suPHP 设置 PHP 会话(请参阅此处).我需要用户拥有我的 php 验证文件,以便当 suPHP 启动时,它会为正确的用户这样做.但是,我也不希望用户访问该文件,o.w.他们可以编辑它只返回 true 而不是实际检查数据库.
I am trying to set up PHP sessions for suPHP (see here). I need to have my php validation file owned by the user so that when suPHP kicks in, it will do so for the correct user. However, I also don't want the user to have access to that file, o.w. they can edit it to just return true rather then actually check the database.
我的第一次尝试是这样的(Apache 以用户 www-data 运行)
My first attempt was something like this (where Apache runs as user www-data)
/etc/validate
├── [drwx------ www-data ] user1
│ └── [-rwx------ user1 ] validate.php
/var/www/
└── [drwx------ user1 ] user1
└── [-rwx------ user1 ] index.html
然后将网页重定向到验证页面,验证页面将进行验证,然后返回 /var/www/user1/index.html
Then have the web pages redirect to the validate page, which would validate, then return /var/www/user1/index.html
RewriteCond %{REQUEST_URI} !^/xyz
RewriteRule ^(.*) /etc/validate/user1/validate.php?uri=$1
然而 suPHP 抱怨我正在访问我的 docroot (/var/www/user1) 之外的东西.我不想将 docroot 设置为 / 并更新 suphp.conf 文件,以便 check_vhost_docroot=false 不会修复(和我不是为了解决这个问题).因此,我只是将 /etc/validate 移动到 /var/www 像这样(这有点乱,我知道)
However suPHP complains that I am accessing something outside of my docroot (/var/www/user1). I don't want to set the docroot to / and updating suphp.conf file so that check_vhost_docroot=false, doesn't fix (and I don't it is meant to fix this). Therefore, instead I just moved /etc/validate into /var/www like so (it's a little messy, I know)
/var/www/
└── [drwx------ user1 ] user1
├── [-rwx------ user1 ] index.html
└── [dr-x------ www-data ] validate
└── [-rwx------ user1 ] validate.php
所以现在验证文件是
- 在文档根目录中
- 由用户 1 拥有
- 用户 1 不可编辑
但是现在如果我尝试加载页面,我会收到以下错误
But now if I try to load the page I get the following error
Directory /var/www/user1/validate is not owned by user1
此时我正在失去耐心,所以我只是在其中粘贴了另一个虚拟文件夹,因此文件结构看起来像这样
At this point I am losing my patience, so I just stick another dummy folder in there so the file structure looks like so
/var/www/
└── [drwx------ user1 ] user1
├── [-rwx------ user1 ] index.html
└── [dr-x------ www-data ] validate
└── [drwx------ user1 ] dummy
└── [-rwx------ user1 ] validate.php
现在,当我尝试加载页面时,Apache 告诉我您无权访问此服务器上的 xyz."其中 xyz 是我的域名之后的任何内容.我不知道为什么 Apache 会告诉我,因为我不试图将尾随值作为文件/文件夹访问.我认为,重定向失败了,Apache 只是假设它是失败的硬链接.
Now, when I try to load the page, Apache tells me "You don't have permission to access xyz on this server." where xyz is whatever comes after my domain name. I don't know why Apache is telling me that because I am not trying to access the trailing values as a file/folder. I think, the redirect is failing and Apache just assumes it is the hard link that is failing.
谁能告诉我我做错了什么或提供一种替代方法来阻止用户编辑他们的文件.无法进入dummy目录,因为它的权限是rwx------,只有user1可以cd> 进去.当我将权限从 0700 更改为 0755 时,它又回到了 suPHP 错误.所以现在的问题变成了:当 suPHP 的一个 upstage 目录归其他人所有时,我如何让 suPHP 执行脚本?
Can anyone tell me what I am doing wrong or provide an alternative way to prevent users from being able to edit their files. It could not get into directory dummy because its permissions were rwx------ and only user1 could cd into it. When I changed the permissions from 0700 to 0755, it went back to suPHP errors. So the question now becomes: how do I get suPHP to execute scripts when one of its upstage directories is owned by someone else?
我现在明白为什么 Apache 抱怨了.它无法进入
I realize now why Apache was complaining. It could not get into
推荐答案
我找不到任何官方链接,但根据 这个站点:
I can't find any official link for this, but according to this site:
所有文件和目录必须由您的用户名拥有,而不是nobody"或其他名称/号码.如果它不归您所有,suPHP 将拒绝运行该脚本并产生内部服务器错误 500".
All Files & Directories MUST be owned by your username, and not "nobody" or some other name/number. If it is not owned by you, suPHP will refuse to run the script and produce an "Internal Server Error 500".
我可以理解文件,但我不认为目录需要属于您.我在网上找到了一个补丁(请参阅此处),但是,我不知道它是否有效,因为我还没有测试过.
I can understand files, but I don't see the need for directories to belong to you. I have found one patch online (see here), however, I don't know if it works or not as I have not tested it yet.
有一种方法可以让用户访问其 docroot 之外的脚本(通过 suPHP_GlobalDocRoot).我无法让它为我工作,Apache 声称这是一个语法错误.在任何情况下,即使它确实有效,它仍然至少需要对所有目录执行访问0111(并且可能还读取0555)一直到<代码>/.
There is a way to allow users to access scripts outside of their docroot (via suPHP_GlobalDocRoot). I can't get it to work for me, Apache claims it is a syntax error. In any case, even if it did work, It would still require at least execute access 0111 (and possibly also read 0555) on all the directories all the way up to /.
因此,我非常有信心绝对没有解决我的问题.因此,我接受这个作为答案.如果有人设法提供一个答案,我会选择另一个答案.
Therefore, I am pretty confident there is absolutely no solution to my problem. I am therefor accepting this as the answer. I will select another answer if someone manages to provide one.
这篇关于Apache 不允许我输入属于其他用户的文件夹的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
