I have a PHP web application (running on Apache/Linux) that, among other things, allows some browsing of local files on the web server. Since Apache is running as a special “www” user, PHP has access to everything that “www” can access, whichever user is logged into the application.
What is the best way to limit the access to files according to the Unix filesystem privileges for the logged-in user? Ideally, I could spawn off a new process with user ID being the logged in user, but I’m not sure if that’s possible. Alternatively, is there a standard PHP library somewhere that will do the permission checking and access the files?
You may take a look over http://httpd.apache.org/docs/2.0/suexec.html it should do what you need, without the need to keep a separate lsit of users and permissions in your aplications.
As far as i know, this extension is implemented on some(if not all) shared hosting services to control how resources are divided between users.
This will lead to scripts not getting executed by www-data(but by the system user), and PHP not running as a module(by CGI/fastCGI mechanisms).