Table of Contents
Overview
When you create a Web database application, the two main components of the application are:
- your MySQL database (which resides on dbm1.itc.virginia.edu)
- your scripts that query the database, display the data to a Web browser, etc (these files will reside on an appropriate Web server, such as www.people.virginia.edu / blue.unix.virginia.edu). These scripts may be written in any one of a number of languages, such as PHP, Java, or Perl.
In order for your scripts to query the database, they must supply the database connection information, which includes:
- the host name
- the username
- the password
Additionally, for many languages, the scripts must be readable by "other" in order to be accessible via the Web. When your scripts reside on a shared server (such as www.people.virginia.edu / blue.unix.virginia.edu), this presents a security hazard. Anyone with access to the server, which could potentially be thousands of people, may view your connection information and then compromise your database.
Process
The following information will help you to set up appropriate file permissions for protecting your database while still enabling you to use the Web as a delivery mechanism. Follow the steps outlined below to secure your files.
Request a UNIX group definition
UNIX groups are used to allow access to files and directories to a subset of people. By default, you are already a member of a group, such as "usr" or "staff". Since these groups have thousands of members, they are not particularly restrictive. However, ITC will create a UNIX group for you at your request (send mail to ITC's web consulting group) that contains yourself and a special user, called "webuser". In the examples that follow, we will use the fictitious group name "webgrp".
Create a parent directory and a child directory (or directories)
Once your UNIX group is set up, you should create a "parent directory" that will house at least one "child directory". In the following example, user mst3k has created a parent directory (apps) and child directory (code) on his personal Web site.
/home/mst3k/public_html/apps
/home/mst3k/public_html/apps/code
At this point, the group ownership of these two directories is still the default group for mst3k (in this case, usr).
Move your scripts to the appropriate directory
After you have created your parent and child directories, you will need to place all of your scripts in the child directory. You may have subdirectories beneath that if you like. For our user mst3k, the file and directory structure might resemble the following:
/home/mst3k/public_html/apps
/home/mst3k/public_html/apps/code
/home/mst3k/public_html/apps/code/computers.php
/home/mst3k/public_html/apps/code/inventory.php
/home/mst3k/public_html/apps/code/people.php
Assign appropriate file permissions
This is the most important step in the process. In order to protect the contents of the child directory, you must change the permissions of the parent directory and the group ownership of the parent directory. In this example, mst3k will change the permissions of the directory apps to 710 (rwx--x---) and the group ownership to webgrp.
node10: /home/mst3k/public_html $ chmod 710 apps
node10: /home/mst3k/public_html $ chgrp webgrp apps
At this point you should verify that the permissions and group settings are correct.
node10: /home/mst3k/public_html $ ls -l
drwx--x--- 2 mst3k webgrp 4096 Oct 23 17:58 apps/
The child directory and its contents should still have the default file permissions.