Hey All.
I use a file caching system for many of the sites I host. I was chmod 777’ing /mycachedir/, but a hacker got through that security hole and wreaked havoc on one site.
Reading through some posts on the web re: this issue, it seems like there are 2 options:
- chmod 777 your cache directory, but add the following .htaccess file to your cache dir (or .conf file with a directory deny for /yourcachedir/):
Options -Indexes
<Files *>
order deny,allow
deny from all
</Files>
- change ownership from siteworx user to apache user for /yourcachedir/
e.g. chown apache:apache yourcachedir.
testing the change ownership option, it seems to work quite well (i.e. I am able to write cached files and read them via web browser), and perms are 744 for the cache dir, so I would assume that security-wise this does the trick?
I think that since PHP runs under Apache as the apache user, you have to chmod 777 any directory you want to write to, as Siteworx account dirs and files ownership is based on the domain name of the site (e.g. mydomainuser; not apache).
So, if option 2 is a “solid” security option, I’d like to chown all the cache dirs for all of my sites. Anyone know how to pull that off with a simple shell script? I know how to create a list of users and loop through it in a shell script, but how to do I get the domain portion in the following:
LIST=“site1 site2”
for d in $LIST; do
chown apache:apache /home/$d/DOMAIN/html/mycachedir
done
Thanks for any and all feedback!