Unix security (warning! newbie)

software development

#1

quick question: can other users on a dreamhost server (besides root) make their way into my directory and view my files? I tried this and it didn’t seem possible to use the “ls” command–which is good. I’m asking because I’m curious what kind of permissions are necessary for my files with passwords in them (scripts for mysql backups on my crontab…)


#2

It depends. If you make a directory executable but not readable, people can’t list the contents of the directory, but they can read files within it if they know the file’s name.

Files that are sensitive should generally be set to permissions of 0600. Obviously, any file that’s accessible to the web will need to be world readable (ie 0644), and I think your home directory has to be at least executable for your site to show up properly.


#3

CGI scripts (and PHP-CGI scripts (but NOT “normal” PHP scripts)) will be running as your user and group and so will be able to read files with 600 permissions (which mean readable only by your user).

So if you’re guarding MySQL passwords or something, by all means set the permissions to be 600.

If you’re using the “normal” in-Apache PHP, it’s running as Apache’s user and the sensitive files will have to be 644.

More info on PHP & security:

https://kbase.newdream.net/?area=2526