Topic: Apache is refusing to server without world permissions

[mkilani]

Hi guys and I appreciate your help on this.

So I have a server with multiple websites on it, each website is served from a folder named after the username in the home folder (e.g. /home/website1/). Each virtual host is served via fastcgi to limit access to the username as well from within their php code.

So the folder /home/website1 is owned by its user and the virtual host executes fine.

However, although another user cannot manipulate files owned by other accounts, when a user from another website, (e.g. /home/website2) runs a php script like "echo exec('/home');" he is able to see the other folders on the server, which I do not want.

I tried removing world permissions but when I do that apache refuses to serve the host and returns (Forbidden) on the browser. Eventhough fastcgi is working through a user who owns this specific folder. It only works when I allow world access (774 permissions) as a minimum. I'm not sure why considering apache is serving the website via a user who owns this folder (through fcgi).

I do not want a user to be able to list other files on the server through his php (or other language) code. But clearly I cannot do a (chmod -R -o-rwx /*) or things will go bad on the server. I appreciate your advise on this.

Thanks!

[James Blond]

You may put all these users into one group.

However having 755 for the home folder itself should be ok.

Why would you allow the use of exec anyway?