how do you setup files and folders rights in a shared web hosting environment ? do you use apache + suexec ? how can you prevent members of group "www" to read files belonging to other users in the system ? (through ssh or php)
SnapOverflow
how do you setup files and folders rights in a shared web hosting environment ? do you use apache + suexec ? how can you prevent members of group "www" to read files belonging to other users in the system ? (through ssh or php)
One half of the solution is to chroot jail users into their respective DocumentRoots when they login to transfer files.
This can be achieved easily with SSH (SFTP/SCP) by using the ChrootDirectory directive.
Edit:
As the above defacto practice has been oddly down-voted I may as well provide the other half too.
Generally the only way to prevent Apache scripting modules from accessing files on the FS that they shouldn't, is to run them through suEXEC as CGI. Which is pretty horrible in my opinion. You will then need to separately ensure that each users files are restricted only to their own UID/GID ie.
umask 027. Alternatively there are some third-party modules that will do this in a box for you such as suPHP.The most common practice would be that each user in the shared web hosting environment would have their own UID (username) & GID (group) separate from that of the one the Apache web server runs at. You can use suexec to keep CGIs running as the same permissions as the user and not as the web server user/group. PHP will do this already for you by running as the user and not allowing the code to access something it doesn't have permissions to.
The problem will be in precenting members from being able to read files. As the permissions have to be open enough that the Apace server can read them to be able to serve them. I would recommend if each user has their own UID/GID then 0664 for files and 0775 for directories. That gives 'others' read access only.
FreeBSD jails are an option.