Unix 权限,读取与执行(PHP 上下文)
我有一个需要连接到数据库的 php 脚本.数据库的凭据存储在另一个 php 脚本中.
I have a php script which needs to connect to a database. The credentials for the database are stored in another php script.
如果我将凭据文件的权限设置为 661,以便 Public 具有执行权限但没有读取权限,这是否允许主脚本访问凭据并连接到数据库,同时防止有人在服务器上拥有用户帐户从查看凭据文件的内容?
If I set the permissions for the credentials file to 661 so that Public has execute permission but not read permission, does this allow the main script to access the credentials and connect to the DB while preventing someone with a user account on the server from viewing the contents of the credentials file?
我想我对读取和执行之间的区别感到困惑.php 脚本(以 www 或类似方式运行)是否需要读取权限才能包含另一个 php 脚本并使用其中的任何内容?还是只需要执行?读取权限是否隐式赋予执行权限?
I guess I'm confused as to the distinction between read and execute. Does a php script (running as www or something similar) need read-permission to include another php script and use any content inside? Or does it just need execute? Does read permission implicitly give execute permission?
子问题:如果我将所有脚本设置为仅具有执行权限而不具有读取权限,是否会出现任何陷阱?这是假设我将需要显式读取权限(数据文件)的所有文件设置为读取.
Sub-Question: If I set all of my scripts to only have execute permission and not read, are there any pitfalls I should expect? This is assuming that I will leave any files I need explicit read permission (data files) set to read.
推荐答案
就文件而言,执行权限与您无关 - 您的 Web 服务器运行的用户帐户需要访问和读取相关文件的权限.为了遍历目录,用户还需要对该目录的执行权限.
As far as files are concerned, execute permission is irrelevant to you - the user account your web server is running under needs permission to access and read the files in question. In order to traverse into a directory, the user will also require execute permission on that directory.
如果你试图让你的脚本被网络服务器读取(假设你以属于www"组的帐户www"运行),而不是系统上的其他用户,这就是我会做(假设您的帐户是myuser"):
If you are trying to make your scripts readable by the web server (let's say you're running as the account "www" which belongs to group "www"), and not by other users on the system, here's what I would do (assumes your account is "myuser"):
# Change owner to "myuser" and group to "www" for file(s) in question
chown myuser:www config.php
# 640: myuser has rw-, www has r--, world has ---
chmod 640 config.php
如果你想阻止世界读取secrets"目录中的任何文件,只需禁用执行位:
If you want to prevent the world from reading any file in a "secrets" directory, just disable the execute bit:
# 750: myuser has rwx, www has r-x, world has ---
chmod 750 secrets
如果您将所有脚本设置为具有执行权限但没有读取权限,则没有人可以对它们做任何有用的事情(包括网络服务器);-)
If you set all your scripts to have execute permission but not read permission, nobody can do anything useful with them (including the webserver) ;-)
相关文章