0700或0711权限是否足以保护数据库配置文件?
众所周知,通过共享网络托管,如果“其他人”具有(读取)权限,其他用户(网站)的文件可能会泄露给其他人。
我认为 0700 或 0711 权限是保护包含秘密信息的重要文件的最佳方式(在共享主机中)。
我假设服务器正在使用 suPHP 或任何类似的模块,以便保持进程的 UID 与正在访问的文件的所有者相同。
那么你说什么?
As we all know that with shared web hosting other users (websites) files could be revealed to others if 'others' have the (read) permission .
I think 0700 or 0711 permission is the best way( in shared hosting) to protect important files the contain secret information .
I suppose that the server is using suPHP or any similar module so that keep the UID of the process is the same as the owner of the files being accessed.
So what do you say ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
你是对的。 700 将确保除了所有者之外,没有人可以读取/写入/执行该文件。这样就足够了!如果要执行它,则为 711,否则为 700。
但是,如果涉及该文件的某些操作失败,则应考虑 711。
编辑:
正如您所提到的,如果它包含连接字符串,您可以安全地假设不需要向任何人授予写入权限,并授予每个人执行权限。
所以,511(即
r_x __x __x)应该这样做。You are correct. 700 would ensure nobody can
read/write/executethat file, except the owner. So that would be good enough! In case it is to be executed, 711, else, 700.However, if some operation involving that file fails, you should consider 711.
EDIT:
As you have mentioned, if it contains a connection string, you can safely assume that nobody needs to be given write privileges, and give everyone execute privileges.
So, 511(which is
r_x __x __x) should do it.您仅需要目录的执行权限,如果您的文件是 PHP 源文件,那么您当然不需要执行权限。
0640 和 2750 通常分别是文件和目录的良好权限(目录权限中的 2 使新文件继承目录的用户和组)。
这适用于文件:
和目录
如果网络服务器使用组权限并且 FTP 或此类用户是所有者,则这是正确的。使用 Suexec 等,您可以根据谁是所有者和谁是 Web 阅读器(用户?组?)来调整这些设置,Web 阅读器不需要写访问权限,除了根据应用程序可能在某些特定目录上。
并且不要忘记文件和文件。目录权限只是共享环境中用户分离的一点。对于使用每用户open_basedir设置的PHP环境,临时文件和上传目录以及每用户会话目录是总是一个好主意(可以在每用户虚拟主机中定义)。
You'll need execution rights only for directories, if your files are PHP source files you certainly do not need execution rights.
0640 and 2750 are usualy good rights for respectively Files and Directories (the 2 in the directory rights make the new files inherit user & group of the directory).
That is for files:
And directories
Which is right if the webserver is using the group rights and the FTP-or-such user being the owner. With Suexec and such you could maybe adjust these settings depending of who is the owner and who is the web reader (user? group?), the web reader does not need write access, except maybe on some specific directories depending on the application.
And do not forget files & directories rights are only one point in separation of user in a shared envirronment. For PHP envirronments using per-user open_basedir settings, temporary files and upload directories and per-user session directories is always a good idea (that can be defined in per-user virtualhosts).