[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] securing php
- To: <full-disclosure@lists.netsys.com>
- Subject: Re: [Full-Disclosure] securing php
- From: "Larry W. Cashdollar" <lwc@vapid.ath.cx>
- Date: Tue, 19 Aug 2003 23:01:58 -0400 (EDT)
Justin,
I recommend for server security and stability sake in a production
environment, to run software on the platform it was developed on. Atleast
in this case. So you want to run apache? run it on a *nix variant. I
have never run IIS so I can't compare it to Windows native http server.
At least what I have seen with software that has been ported from Windows
to UNIX (Solaris in this case) is the differences in security models tend
to fall through the cracks. I suspect this case might be the same
the other way around. The nativly written stuff has had longer to bake
etc...
-- Larry C$
"Justin Shin" <zorkshin@tampabay.rr.com> wrote:
> Hi all --
>
> I have a friend that owns a web hosting company and recently he asked me to
> check up on his security ... I found that PHP scripts could access,
>modify, etc. anything on the drive. Of course, this is because PHP was
>invoked by apache, which is being run as a root user (Administrator, he
>runs apache on win2k3 for some odd reason) but I do not know the remedy.
>How could he set up his apache/PHP so that only the users of his web
>hosting service could "do stuff" to their own web directories. I know I
>am not explaining this well, but I think you get the picture :) I also
>know there is a simple solution to this, I googled it though and I
>couldn't find it.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html