PHP 脚本/目录的权限是什么?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2096255/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What permissions for PHP scripts/directories?
提问by christophe milard
I am trying to help a friend moving a web-site from one web-hotel to another. The old place is already closed, I have only a flat tar file of what was in it.
我正在尝试帮助一位朋友将网站从一家网络酒店转移到另一家。旧地方已经关闭,我只有一个简单的 tar 文件,里面有什么。
The web site contained HTML docs and one could download a little Java application (to be loaded on mobile phone) to send data to the web site.
该网站包含 HTML 文档,您可以下载一个小 Java 应用程序(可加载到手机上)将数据发送到该网站。
The mobile Java application sent a string to URL=<HOST>/php/register.php. This php script included another php script (../inc/db_login.php), which connected to a SQL DB using $link=mysql_connect(). Another file, register.php, did the SQL insert for putting the new sent data in the DB.
移动 Java 应用程序向 发送了一个字符串URL=<HOST>/php/register.php。这个 php 脚本包括另一个 php 脚本 ( ../inc/db_login.php),它使用$link=mysql_connect(). 另一个文件 ,register.php执行 SQL 插入以将新发送的数据放入数据库中。
My question is basicaly, where I should put this 2 PHP files on the new website and what permissions the directories and files should have?
我的问题基本上是,我应该把这 2 个 PHP 文件放在新网站上的什么位置,目录和文件应该有什么权限?
The old web server obviously had a /phpand /incdirectories. None of these exists on the new webserver. Should I create them? What permission should they have? I guess the reason for having the password in a separate PHP file was security. The /phpand /incdirectory probably had different permissions.
旧的 Web 服务器显然有一个/php和/inc目录。这些都不存在于新的网络服务器上。我应该创建它们吗?他们应该得到什么许可?我想将密码放在单独的 PHP 文件中的原因是安全性。该/php和/inc目录可能有不同的权限。
The new server has directories:
新服务器有目录:
/httpdos/httpsdos/cgi-bin/conf(and some others probably irrelevant)
/httpdos/httpsdos/cgi-bin/conf(还有其他一些可能无关紧要)
My questions
我的问题
Does the file-extension (
.php) mean something to the server: as PHP scripts are "included" in HTML code (between<?...?>, does the server need to look at the file suffix or is it irrelevant? (I understand that the server reacts on the<?...?>, of course)should the public file (
register.phpin my case) be placed in thehttpdocs/directory or does the server (apache I think) reacts on something and fetches it in another directory?Should the PHP script have permission
R-X(read and execute),--X(execute) orR--(read)? From a OS perspective I guess apache is just reading this files, meaning that they should beR--, but this would mean that if PHP service is "stopped" the client would get all the PHP code in his browser(?). I would prefer it being--Xbut as this is neither a binary nor has a#!, I guess it must be--R?If the public PHP script can be placed in another dir (e.g
/phpinstead of/httpdocs) what should/php(and the script) have for permission?. I guess the server has to know about this/phpdirectory (or are there usual defaults?)The PHP script included (
../inc/db_login.php, containing SQL password) should not be under/httpdocsI guess. This means that myregister.phpis including a file which is not under the/httpdocssubtree. Does this work? Does the server need to know?
文件扩展名 (
.php) 对服务器有什么意义:因为 PHP 脚本“包含”在 HTML 代码中(在 之间<?...?>,服务器是否需要查看文件后缀或者它是否无关紧要?(我知道服务器对<?...?>, 当然)应该将公共文件(
register.php在我的情况下)放在httpdocs/目录中还是服务器(我认为是 apache)对某些内容做出反应并将其提取到另一个目录中?PHP 脚本是否应该具有
R-X(读取和执行)、--X(执行)或R--(读取)权限?从操作系统的角度来看,我猜 apache 只是在读取这些文件,这意味着它们应该是R--,但这意味着如果 PHP 服务“停止”,客户端将在其浏览器中获取所有 PHP 代码(?)。我更喜欢它,--X但因为这既不是二进制也没有#!,我想它一定是--R?如果公共 PHP 脚本可以放在另一个目录中(例如,
/php而不是/httpdocs)/php(和脚本)应该获得什么许可?。我猜服务器必须知道这个/php目录(或者是否有通常的默认值?)包含的 PHP 脚本 (
../inc/db_login.php, 包含 SQL 密码) 不应该在/httpdocs我猜下。这意味着 myregister.php包含一个不在/httpdocs子树下的文件。这行得通吗?服务器需要知道吗?
I understand you may need to know the server configuration. Just assume the default in your answer (and you can tell where it is changed if it is).
我知道您可能需要了解服务器配置。只需假设您的答案中的默认值(如果是,您可以告诉它在哪里更改)。
回答by Ignacio Vazquez-Abrams
Directories must have execute permissions to be usable. Usually this is 0755. PHP scripts run via mod_phpare not executed but rather read; 0644will suffice for this. Directories that must be written to need to be owned by the user the web server is running as. There may be additional concerns regarding permissions, e.g. SELinux, but the above will get you through the basics.
目录必须具有执行权限才能使用。通常这是0755. 通过运行的 PHP 脚本mod_php不会被执行,而是被读取;0644就足够了。必须写入的目录需要由运行 Web 服务器的用户拥有。可能还有其他关于权限的问题,例如 SELinux,但以上内容将帮助您了解基础知识。
Documents that must not be accessed by other users or external clients should be 0600, owned by the web server user, and located outside the DocumentRoot. Note that running mod_php in Safe Mode will prevent scripts from ever including anything outside the DocumentRoot; a lamentable flaw.
其他用户或外部客户端不得访问的文档应归0600Web 服务器用户所有,并位于 DocumentRoot 之外。请注意,在安全模式下运行 mod_php 将阻止脚本包含 DocumentRoot 之外的任何内容;一个可悲的缺陷。
回答by kintsukuroi
Set php files to 640
将php文件设置为640
For maximum securityyou should set minimum permissions, which is 640.
为了获得最大的安全性,您应该设置最小权限,即640。
- The owner 6would be the one uploading the files.
- The group 4would be the one serving the file. Make apache a group member.
- The nobody 0means no other users can read this file. It's important since php scripts sometimes have passwords and other sensitive data.
- 该店主6将是一个上传的文件。
- 第4 组将是提供文件的组。使 apache 成为组成员。
- 该无人0表示没有其他用户可以读取该文件。这很重要,因为 php 脚本有时会有密码和其他敏感数据。
Never allow php scripts to be read by everyone.
永远不要让 php 脚本被所有人阅读。
Useful commands:
有用的命令:
chmod 640 file.php
chown user:group file.php
usermod -a -G group apache
What these commands are doing:
这些命令在做什么:
- Change ownership of file.php so user can read and write, group read.
- Change ownership of file.php, to chosen user name and group name.
- Add apache to the group, so that apache can serve the file. Otherwise 640 will not work.
- 更改 file.php 的所有权,以便用户可以读写、组读取。
- 将 file.php 的所有权更改为选定的用户名和组名。
- 将 apache 添加到组中,以便 apache 可以为文件提供服务。否则 640 将无法工作。
回答by MidnightLightning
1) Files that end with a .php extension are handed off to the PHP compiler by Apache. If the proper configuration is not set up to do so, PHP files get served up as text files by the server. The Apache configuration line "AddHandler php5-script php" in the httpd.conf file is the PHP5 method of setting this up.
1) 以 .php 扩展名结尾的文件由 Apache 移交给 PHP 编译器。如果没有设置正确的配置,PHP 文件将被服务器作为文本文件提供。AddHandler php5-script phphttpd.conf 文件中的 Apache 配置行“ ”是 PHP5 设置方法。
2) register.php needs to be accessible at http://www.example.com/php/register.php, as the java app is looking for it, so in the Apache htdocs folder, there needs to be a "php" folder with the register.php file in it.
2) register.php 需要可以在http://www.example.com/php/register.php 访问,因为 java 应用程序正在寻找它,所以在 Apache htdocs 文件夹中,需要有一个“php”包含 register.php 文件的文件夹。
3) PHP files need read access by the user that's running the Apache service. Using PHP as an Apache module has no 'service' to speak of that's separate for PHP. Instead the Apache service, when it gets a request for a PHP file, makes a shell call to the PHP binary to parse the file and hand the Apache service the result, which it serves to the client. Only if you were using PHP from the command line (CLI setup) would the scripts need execute permission, and start with a #!/path/to/php-binline.
3) PHP 文件需要运行 Apache 服务的用户具有读取权限。使用 PHP 作为 Apache 模块没有“服务”可言,这对于 PHP 来说是分开的。相反,当 Apache 服务收到对 PHP 文件的请求时,它会对 PHP 二进制文件进行 shell 调用以解析文件并将结果交给 Apache 服务,然后将结果提供给客户端。仅当您从命令行(CLI 设置)使用 PHP 时,脚本才需要执行权限,并以#!/path/to/php-bin一行开头。
4) The requested file (register.php) needs to be in htdocs in order to be served by Apache. If PHP is running with "Safe Mode" disabled, register.php could include a file that was outside the htdocs folder.
4) 请求的文件 (register.php) 需要在 htdocs 中才能被 Apache 服务。如果 PHP 在禁用“安全模式”的情况下运行,则 register.php 可能包含 htdocs 文件夹之外的文件。
5) The path "../inc/db_login.php" is relative to the PHP script that was originally fetched (register.php), so, since register.php is in htdocs/php/register.php, that would put db_login.php at htdocs/inc/db_login.php.
5) 路径“ ../inc/db_login.php”是相对于最初获取的 PHP 脚本 (register.php),因此,由于 register.php 在 中htdocs/php/register.php,因此会将 db_login.php 放在htdocs/inc/db_login.php.
回答by symcbean
All the PHP files which are intended to be addressed directly via URLs can happily reside in the same directories as the static content (this is the usual practice).
所有打算通过 URL 直接寻址的 PHP 文件都可以愉快地与静态内容位于同一目录中(这是通常的做法)。
It is good practice to have at least one directory outside those visible from the webserver to hold include files, but the PHP include path should still include '.'.
最好在 Web 服务器可见的目录之外至少有一个目录来保存包含文件,但 PHP 包含路径仍应包含“.”。
I'd recommend not putting lots of non-standard directories in your root filesystem - the default webroot varies by distribution, but I usually go with something like:
我建议不要在您的根文件系统中放置大量非标准目录 - 默认的 webroot 因发行版而异,但我通常会使用以下内容:
/var/www/htdocs - as the document root /usr/local/php - for include files
/var/www/htdocs - 作为文档根目录 /usr/local/php - 用于包含文件
Obviously if you intend running your webserver chrrot, these should be mapped accordingly.
显然,如果您打算运行您的网络服务器 chrrot,则应相应地映射这些内容。
All files must be readable by the uid under which the webserver runs, however if you can restrict what is writeable by this uid as much as possible then you close off a potential attack vector.
所有文件都必须可由运行 web 服务器的 uid 读取,但是如果您可以尽可能地限制此 uid 可写的内容,那么您就关闭了潜在的攻击向量。
I usually go with setting up my dirs as drwxrwSr-x owned by a member of a webdev group with the group ownership as the webdev team, (the httpd uid is not in the webdev group) and files are therefore -rw-rw-r-- So anyone in the webdex group can change files, and the httpd uid can only read files.
我通常将我的目录设置为由 webdev 组的成员拥有的 drwxrwSr-x,该组的所有权为 webdev 团队,(httpd uid 不在 webdev 组中),因此文件为 -rw-rw-r -- 所以webdex组中的任何人都可以更改文件,而httpd uid只能读取文件。
1) does the files-extension (.php) means something to the server:
1) 文件扩展名 (.php) 对服务器有什么意义:
Yes - go read the PHP installation guide.
是的 - 去阅读 PHP 安装指南。
C.
C。
回答by Alix Axel
I've coded a function to address the permissions issues in both of PHP / SuPHP and similar:
我编写了一个函数来解决 PHP / SuPHP 和类似的权限问题:
function realChmod($path, $chmod = null)
{
if (file_exists($path) === true)
{
if (is_null($chmod) === true)
{
$chmod = (is_file($path) === true) ? 644 : 755;
if (in_array(get_current_user(), array('apache', 'httpd', 'nobody', 'system', 'webdaemon', 'www', 'www-data')) === true)
{
$chmod += 22;
}
}
return chmod($path, octdec(intval($chmod)));
}
return false;
}
Maybe it's useful for you.
也许它对你有用。
回答by Madan Sapkota
Assuming your SFTP/FTP user is johndoeand web server group is www-data. johndoeonly read, write the files but not execute the files (in my case never). The web server software usually Apache/Nginx from the group www-datacan read/write/execute the files. Other users? what are they doing here???
So, I used to set 0670(rw-rwx---) and works for me always :)
假设您的 SFTP/FTP 用户是johndoe并且 Web 服务器组是www-data。johndoe只读取、写入文件但不执行文件(在我的情况下永远不会)。组中的 Web 服务器软件通常是 Apache/Nginxwww-data可以读/写/执行文件。其他用户?他们在这里做什么???所以,我曾经设置0670( rw-rwx---) 并且总是为我工作:)
