I understand why dream host has web request execute as the owning user; however, it’s making it hard to secure my website. Maybe there’s something someone can suggest to help me out? Please read on.
I’m coming from a co-lo I used to own, so I’m used to having the user executing my web requests being the apache user (“apache”). Since this was the case, it was easy to secure sites from modification – just make the sites world readable only – the apache user could not possibly modify anything – just read.
Now that my shell user is the executing user, I cannot truly secure a site. I use drupal and if the calling user can run code, they can do anything (within my directory tree of course). Is there any way of preventing write access to the running user? (I could chmod it 0444, but the executing user is still the file owner so it could chmod it back before writing… or delete the file altogether)
I tried creating another user (user “B”) and having that user be the executing user. I then created a symlink from the root directory of the site (in user "B"s directory tree) to the real directory containing the files in the primary user’s home directory. This should work – user “B” can read the files (i.e. cat them), but apache reports a 403 error when trying to execute the index.php file.
Anyone have any ideas?