RE: [Full-Disclosure] securing php

["Rainer Gerhards" <rgerhards@hq.adiscon.com>]

Apache does not need to run as Administrator under Win32. In fact, the Apache folks recommend NOT to do this. It is on by default, so that it fits into the "Wíndows security model". See the Apache web site for how to run it under a different user - they have doc (but I don't have the link right now;)).

Keep in mind, though, that even when run as a non-admin, Apache requires some considerate priveleges. If not done so, please also check on PHPs safe mode (far from bullet-proof, but another hurdle)....

Rainer

> -----Original Message-----
> From: Paul Schmehl [mailto:pauls@utdallas.edu] 
> Sent: Wednesday, August 20, 2003 4:09 AM
> To: full-disclosure@lists.netsys.com
> Subject: Re: [Full-Disclosure] securing php
> 
> 
> --On Tuesday, August 19, 2003 20:10:48 -0400 Michael Gale 
> <michael@bluesuperman.com> wrote:
> >#
> > User nobody
> > Group #-1
> > </IfModule>
> > </IfModule>
> > --snip--
> >
> > I am not sure if the windows version has this option - it may have
> > something similar.
> 
> I'm not sure why you would *want* to run Apache on Windows, 
> but I'm certain 
> that it would have the same options as *nix where possible.  
> If you're 
> insistent in running a web server on Windows, Apache is 
> probably the better 
> choice, though.
> 
> The problem with Windows is that the concept of running servers as 
> unprivileged users or starting a daemon as root and then dropping 
> privileges doesn't correspond one to one with the *nix security model.
> 
> Paul Schmehl (pauls@utdallas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html