I am trying to help a friend moving a web-site from one web-hotel to another. The old place is already closed, I have only a flat tar file of what was in it.
我正在努力帮助一位朋友将网站从一个网站搬到另一个网站。旧的地方已经关闭,我只有一个平坦的tar文件。
The web site contained HTML docs and one could download a little Java application (to be loaded on mobile phone) to send data to the web site.
该网站包含HTML文档,可以下载一个小的Java应用程序(将在手机上加载)以将数据发送到网站。
The mobile Java application sent a string to URL=<HOST>/php/register.php. This php script included another php script (../inc/db_login.php), which connected to a SQL DB using $link=mysql_connect(). Another file, register.php, did the SQL insert for putting the new sent data in the DB.
移动Java应用程序将字符串发送到URL =
My question is basicaly, where I should put this 2 PHP files on the new website and what permissions the directories and files should have?
我的问题是基本的,我应该把这2个PHP文件放在新网站上以及目录和文件应该具有哪些权限?
The old web server obviously had a /php and /inc directories. None of these exists on the new webserver. Should I create them? What permission should they have? I guess the reason for having the password in a separate PHP file was security. The /php and /inc directory probably had different permissions.
旧的Web服务器显然有一个/ php和/ inc目录。新网络服务器上不存在这些。我应该创建它们吗?他们应该获得什么许可?我想在单独的PHP文件中使用密码的原因是安全性。 / php和/ inc目录可能具有不同的权限。
The new server has directories:
新服务器有目录:
/httpdos- / httpdos
/httpsdos- / httpsdos
/cgi-bin- / cgi-bin目录
-
/conf(and some others probably irrelevant) - / conf(和其他一些可能不相关的)
My questions
我的问题
-
Does the file-extension (
.php) mean something to the server: as PHP scripts are "included" in HTML code (between<?...?>, does the server need to look at the file suffix or is it irrelevant? (I understand that the server reacts on the<?...?>, of course)文件扩展名(.php)对服务器意味着什么:因为PHP脚本被“包含”在HTML代码中(在<?...?>之间,服务器是否需要查看文件后缀或者它是否无关紧要? (我知道服务器对<?...?>做出反应,当然)
-
should the public file (
register.phpin my case) be placed in thehttpdocs/directory or does the server (apache I think) reacts on something and fetches it in another directory?应该将公共文件(在我的情况下为register.php)放在httpdocs /目录中,还是服务器(我认为是apache)对某些内容做出反应并将其提取到另一个目录中?
-
Should the PHP script have permission
R-X(read and execute),--X(execute) orR--(read)? From a OS perspective I guess apache is just reading this files, meaning that they should beR--, but this would mean that if PHP service is "stopped" the client would get all the PHP code in his browser(?). I would prefer it being--Xbut as this is neither a binary nor has a#!, I guess it must be--R?PHP脚本是否应具有R-X(读取和执行), - X(执行)或R--(读取)权限?从操作系统的角度来看,我猜apache只是读取这些文件,这意味着它们应该是R--,但这意味着如果PHP服务被“停止”,客户端将在其浏览器中获取所有PHP代码(?)。我希望它是-X但是因为这既不是二进制也不是#!,我想它一定是-R?
-
If the public PHP script can be placed in another dir (e.g
/phpinstead of/httpdocs) what should/php(and the script) have for permission?. I guess the server has to know about this/phpdirectory (or are there usual defaults?)如果公共PHP脚本可以放在另一个目录(例如/ php而不是/ httpdocs)/ php(和脚本)应该获得什么权限?我想服务器必须知道这个/ php目录(或者是否有通常的默认值?)
-
The PHP script included (
../inc/db_login.php, containing SQL password) should not be under/httpdocsI guess. This means that myregister.phpis including a file which is not under the/httpdocssubtree. Does this work? Does the server need to know?包含的PHP脚本(../inc/db_login.php,包含SQL密码)不应该在/ httpdocs下。这意味着我的register.php包含一个不在/ httpdocs子树下的文件。这有用吗?服务器需要知道吗?
I understand you may need to know the server configuration. Just assume the default in your answer (and you can tell where it is changed if it is).
我知道您可能需要了解服务器配置。只需假设答案中的默认值(如果是,您可以知道它的更改位置)。
5 个解决方案
#1
48
Directories must have execute permissions to be usable. Usually this is 0755. PHP scripts run via mod_php are not executed but rather read; 0644 will suffice for this. Directories that must be written to need to be owned by the user the web server is running as. There may be additional concerns regarding permissions, e.g. SELinux, but the above will get you through the basics.
目录必须具有可执行的执行权限。通常这是0755.通过mod_php运行的PHP脚本不会执行,而是读取; 0644就足够了。必须写入的目录需要由Web服务器运行的用户拥有。关于权限可能还有其他问题,例如: SELinux,但上面的内容将帮助您了解基础知识。
Documents that must not be accessed by other users or external clients should be 0600, owned by the web server user, and located outside the DocumentRoot. Note that running mod_php in Safe Mode will prevent scripts from ever including anything outside the DocumentRoot; a lamentable flaw.
其他用户或外部客户端不得访问的文档应为0600,由Web服务器用户拥有,位于DocumentRoot外部。请注意,以安全模式运行mod_php将阻止脚本包含DocumentRoot之外的任何内容;一个可悲的缺陷。
#2
9
Set php files to 640
For maximum security you should set minimum permissions, which is 640.
为了最大限度地提高安全性,您应该设置最小权限,即640。
- The owner 6 would be the one uploading the files.
- 所有者6将是上传文件的人。
- The group 4 would be the one serving the file. Make apache a group member.
- 第4组将是服务该文件的组。使apache成为组成员。
- The nobody 0 means no other users can read this file. It's important since php scripts sometimes have passwords and other sensitive data.
- nobody 0表示没有其他用户可以读取此文件。这很重要,因为php脚本有时会有密码和其他敏感数据。
Never allow php scripts to be read by everyone.
绝不允许每个人阅读php脚本。
Useful commands:
有用的命令:
chmod 640 file.php
chown user:group file.php
usermod -a -G group apache
What these commands are doing:
这些命令正在做什么:
- Change ownership of file.php so user can read and write, group read.
- 更改file.php的所有权,以便用户可以读写,分组读取。
- Change ownership of file.php, to chosen user name and group name.
- 将file.php的所有权更改为所选的用户名和组名。
- Add apache to the group, so that apache can serve the file. Otherwise 640 will not work.
- 将apache添加到组中,以便apache可以为该文件提供服务。否则640将无法正常工作。
#3
1
I've coded a function to address the permissions issues in both of PHP / SuPHP and similar:
我编写了一个函数来解决PHP / SuPHP和类似的权限问题:
function realChmod($path, $chmod = null)
{
if (file_exists($path) === true)
{
if (is_null($chmod) === true)
{
$chmod = (is_file($path) === true) ? 644 : 755;
if (in_array(get_current_user(), array('apache', 'httpd', 'nobody', 'system', 'webdaemon', 'www', 'www-data')) === true)
{
$chmod += 22;
}
}
return chmod($path, octdec(intval($chmod)));
}
return false;
}
Maybe it's useful for you.
也许它对你有用。
#4
1
1) Files that end with a .php extension are handed off to the PHP compiler by Apache. If the proper configuration is not set up to do so, PHP files get served up as text files by the server. The Apache configuration line "AddHandler php5-script php" in the httpd.conf file is the PHP5 method of setting this up.
1)以.php扩展名结尾的文件由Apache传递给PHP编译器。如果没有设置正确的配置,PHP文件将由服务器作为文本文件提供。 httpd.conf文件中的Apache配置行“AddHandler php5-script php”是PHP5设置它的方法。
2) register.php needs to be accessible at http://www.example.com/php/register.php, as the java app is looking for it, so in the Apache htdocs folder, there needs to be a "php" folder with the register.php file in it.
2)register.php需要在http://www.example.com/php/register.php*问,因为java应用程序正在寻找它,所以在Apache htdocs文件夹中,需要有一个“php”其中包含register.php文件的文件夹。
3) PHP files need read access by the user that's running the Apache service. Using PHP as an Apache module has no 'service' to speak of that's separate for PHP. Instead the Apache service, when it gets a request for a PHP file, makes a shell call to the PHP binary to parse the file and hand the Apache service the result, which it serves to the client. Only if you were using PHP from the command line (CLI setup) would the scripts need execute permission, and start with a #!/path/to/php-bin line.
3)PHP文件需要运行Apache服务的用户进行读访问。使用PHP作为Apache模块没有'服务'可以说PHP的单独。相反,Apache服务在获取PHP文件请求时,会对PHP二进制文件进行shell调用以解析文件,并将Apache服务交给客户端。只有当您从命令行使用PHP(CLI设置)时,脚本才需要执行权限,并以#!/ path / to / php-bin行开头。
4) The requested file (register.php) needs to be in htdocs in order to be served by Apache. If PHP is running with "Safe Mode" disabled, register.php could include a file that was outside the htdocs folder.
4)请求的文件(register.php)需要在htdocs中才能由Apache提供服务。如果PHP在禁用“安全模式”的情况下运行,则register.php可能包含一个位于htdocs文件夹之外的文件。
5) The path "../inc/db_login.php" is relative to the PHP script that was originally fetched (register.php), so, since register.php is in htdocs/php/register.php, that would put db_login.php at htdocs/inc/db_login.php.
5)路径“../inc/db_login.php”是相对于最初获取的PHP脚本(register.php),因此,因为register.php在htdocs / php / register.php中,所以会放入db_login .php at htdocs / inc / db_login.php。
#5
0
All the PHP files which are intended to be addressed directly via URLs can happily reside in the same directories as the static content (this is the usual practice).
所有旨在通过URL直接寻址的PHP文件都可以很好地驻留在与静态内容相同的目录中(这是通常的做法)。
It is good practice to have at least one directory outside those visible from the webserver to hold include files, but the PHP include path should still include '.'.
优良作法是在Web服务器可见的目录之外至少有一个目录来保存包含文件,但PHP包含路径仍应包含“。”。
I'd recommend not putting lots of non-standard directories in your root filesystem - the default webroot varies by distribution, but I usually go with something like:
我建议不要在你的根文件系统中放置很多非标准目录 - 默认的webroot因发行版而异,但我通常会选择以下内容:
/var/www/htdocs - as the document root /usr/local/php - for include files
/ var / www / htdocs - 作为文件根目录/ usr / local / php - 用于包含文件
Obviously if you intend running your webserver chrrot, these should be mapped accordingly.
显然,如果您打算运行您的webserver chrrot,则应相应地映射这些。
All files must be readable by the uid under which the webserver runs, however if you can restrict what is writeable by this uid as much as possible then you close off a potential attack vector.
所有文件必须由运行Web服务器的uid读取,但是如果您可以尽可能限制此uid可写入的内容,则关闭潜在的攻击向量。
I usually go with setting up my dirs as drwxrwSr-x owned by a member of a webdev group with the group ownership as the webdev team, (the httpd uid is not in the webdev group) and files are therefore -rw-rw-r-- So anyone in the webdex group can change files, and the httpd uid can only read files.
我通常设置我的目录为drwxrwSr-x由webdev组的成员拥有,其中团队所有权为webdev团队,(httpd uid不在webdev组中),因此文件是-rw-rw-r - 因此webdex组中的任何人都可以更改文件,而httpd uid只能读取文件。
1) does the files-extension (.php) means something to the server:
1)文件扩展名(.php)对服务器意味着什么:
Yes - go read the PHP installation guide.
是 - 请阅读PHP安装指南。
C.
C。
#1
48
Directories must have execute permissions to be usable. Usually this is 0755. PHP scripts run via mod_php are not executed but rather read; 0644 will suffice for this. Directories that must be written to need to be owned by the user the web server is running as. There may be additional concerns regarding permissions, e.g. SELinux, but the above will get you through the basics.
目录必须具有可执行的执行权限。通常这是0755.通过mod_php运行的PHP脚本不会执行,而是读取; 0644就足够了。必须写入的目录需要由Web服务器运行的用户拥有。关于权限可能还有其他问题,例如: SELinux,但上面的内容将帮助您了解基础知识。
Documents that must not be accessed by other users or external clients should be 0600, owned by the web server user, and located outside the DocumentRoot. Note that running mod_php in Safe Mode will prevent scripts from ever including anything outside the DocumentRoot; a lamentable flaw.
其他用户或外部客户端不得访问的文档应为0600,由Web服务器用户拥有,位于DocumentRoot外部。请注意,以安全模式运行mod_php将阻止脚本包含DocumentRoot之外的任何内容;一个可悲的缺陷。
#2
9
Set php files to 640
For maximum security you should set minimum permissions, which is 640.
为了最大限度地提高安全性,您应该设置最小权限,即640。
- The owner 6 would be the one uploading the files.
- 所有者6将是上传文件的人。
- The group 4 would be the one serving the file. Make apache a group member.
- 第4组将是服务该文件的组。使apache成为组成员。
- The nobody 0 means no other users can read this file. It's important since php scripts sometimes have passwords and other sensitive data.
- nobody 0表示没有其他用户可以读取此文件。这很重要,因为php脚本有时会有密码和其他敏感数据。
Never allow php scripts to be read by everyone.
绝不允许每个人阅读php脚本。
Useful commands:
有用的命令:
chmod 640 file.php
chown user:group file.php
usermod -a -G group apache
What these commands are doing:
这些命令正在做什么:
- Change ownership of file.php so user can read and write, group read.
- 更改file.php的所有权,以便用户可以读写,分组读取。
- Change ownership of file.php, to chosen user name and group name.
- 将file.php的所有权更改为所选的用户名和组名。
- Add apache to the group, so that apache can serve the file. Otherwise 640 will not work.
- 将apache添加到组中,以便apache可以为该文件提供服务。否则640将无法正常工作。
#3
1
I've coded a function to address the permissions issues in both of PHP / SuPHP and similar:
我编写了一个函数来解决PHP / SuPHP和类似的权限问题:
function realChmod($path, $chmod = null)
{
if (file_exists($path) === true)
{
if (is_null($chmod) === true)
{
$chmod = (is_file($path) === true) ? 644 : 755;
if (in_array(get_current_user(), array('apache', 'httpd', 'nobody', 'system', 'webdaemon', 'www', 'www-data')) === true)
{
$chmod += 22;
}
}
return chmod($path, octdec(intval($chmod)));
}
return false;
}
Maybe it's useful for you.
也许它对你有用。
#4
1
1) Files that end with a .php extension are handed off to the PHP compiler by Apache. If the proper configuration is not set up to do so, PHP files get served up as text files by the server. The Apache configuration line "AddHandler php5-script php" in the httpd.conf file is the PHP5 method of setting this up.
1)以.php扩展名结尾的文件由Apache传递给PHP编译器。如果没有设置正确的配置,PHP文件将由服务器作为文本文件提供。 httpd.conf文件中的Apache配置行“AddHandler php5-script php”是PHP5设置它的方法。
2) register.php needs to be accessible at http://www.example.com/php/register.php, as the java app is looking for it, so in the Apache htdocs folder, there needs to be a "php" folder with the register.php file in it.
2)register.php需要在http://www.example.com/php/register.php*问,因为java应用程序正在寻找它,所以在Apache htdocs文件夹中,需要有一个“php”其中包含register.php文件的文件夹。
3) PHP files need read access by the user that's running the Apache service. Using PHP as an Apache module has no 'service' to speak of that's separate for PHP. Instead the Apache service, when it gets a request for a PHP file, makes a shell call to the PHP binary to parse the file and hand the Apache service the result, which it serves to the client. Only if you were using PHP from the command line (CLI setup) would the scripts need execute permission, and start with a #!/path/to/php-bin line.
3)PHP文件需要运行Apache服务的用户进行读访问。使用PHP作为Apache模块没有'服务'可以说PHP的单独。相反,Apache服务在获取PHP文件请求时,会对PHP二进制文件进行shell调用以解析文件,并将Apache服务交给客户端。只有当您从命令行使用PHP(CLI设置)时,脚本才需要执行权限,并以#!/ path / to / php-bin行开头。
4) The requested file (register.php) needs to be in htdocs in order to be served by Apache. If PHP is running with "Safe Mode" disabled, register.php could include a file that was outside the htdocs folder.
4)请求的文件(register.php)需要在htdocs中才能由Apache提供服务。如果PHP在禁用“安全模式”的情况下运行,则register.php可能包含一个位于htdocs文件夹之外的文件。
5) The path "../inc/db_login.php" is relative to the PHP script that was originally fetched (register.php), so, since register.php is in htdocs/php/register.php, that would put db_login.php at htdocs/inc/db_login.php.
5)路径“../inc/db_login.php”是相对于最初获取的PHP脚本(register.php),因此,因为register.php在htdocs / php / register.php中,所以会放入db_login .php at htdocs / inc / db_login.php。
#5
0
All the PHP files which are intended to be addressed directly via URLs can happily reside in the same directories as the static content (this is the usual practice).
所有旨在通过URL直接寻址的PHP文件都可以很好地驻留在与静态内容相同的目录中(这是通常的做法)。
It is good practice to have at least one directory outside those visible from the webserver to hold include files, but the PHP include path should still include '.'.
优良作法是在Web服务器可见的目录之外至少有一个目录来保存包含文件,但PHP包含路径仍应包含“。”。
I'd recommend not putting lots of non-standard directories in your root filesystem - the default webroot varies by distribution, but I usually go with something like:
我建议不要在你的根文件系统中放置很多非标准目录 - 默认的webroot因发行版而异,但我通常会选择以下内容:
/var/www/htdocs - as the document root /usr/local/php - for include files
/ var / www / htdocs - 作为文件根目录/ usr / local / php - 用于包含文件
Obviously if you intend running your webserver chrrot, these should be mapped accordingly.
显然,如果您打算运行您的webserver chrrot,则应相应地映射这些。
All files must be readable by the uid under which the webserver runs, however if you can restrict what is writeable by this uid as much as possible then you close off a potential attack vector.
所有文件必须由运行Web服务器的uid读取,但是如果您可以尽可能限制此uid可写入的内容,则关闭潜在的攻击向量。
I usually go with setting up my dirs as drwxrwSr-x owned by a member of a webdev group with the group ownership as the webdev team, (the httpd uid is not in the webdev group) and files are therefore -rw-rw-r-- So anyone in the webdex group can change files, and the httpd uid can only read files.
我通常设置我的目录为drwxrwSr-x由webdev组的成员拥有,其中团队所有权为webdev团队,(httpd uid不在webdev组中),因此文件是-rw-rw-r - 因此webdex组中的任何人都可以更改文件,而httpd uid只能读取文件。
1) does the files-extension (.php) means something to the server:
1)文件扩展名(.php)对服务器意味着什么:
Yes - go read the PHP installation guide.
是 - 请阅读PHP安装指南。
C.
C。