[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] securing php

To: Justin Shin <zorkshin@tampabay.rr.com>
Subject: Re: [Full-Disclosure] securing php
From: jeremy@33ad.org
Date: Wed, 20 Aug 2003 18:41:00 -0500

On Tue, Aug 19, 2003 at 05:51:46PM -0400, Justin Shin wrote:
> etc. anything on the drive. Of course, this is because PHP was invoked by
> apache, which is being run as a root user (Administrator, he runs apache on
> win2k3 for some odd reason) but I do not know the remedy. How could he set up
> his apache/PHP so that only the users of his web hosting service could "do
> stuff" to their own web directories. I know I am not explaining this well,

This is what you're looking for.   http://httpd.apache.org/docs-2.0/suexec.html

But, he needs to set the uid/gid of the apache process as a whole also.
Running it on windows/nix doesnt change that.

php safe_mode isn't a bad idea, but I think that the suexec will help you even
more.  I always try and give my users enough rope to hang themselves, but not
enough rope to hang me also (tough call sometimes).

jeremy

-- 
  Jereme Kelley <jeremy 33ad.org>
  All plenty which is not my God is poverty to me. -- Augustine.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] securing php
  - From: "Justin Shin" <zorkshin@tampabay.rr.com>

Prev by Date: RE: [Full-Disclosure] virus-binaries
Next by Date: RE: [Full-Disclosure] Administrivia: Testing Emergency Virus Filter..
Prev by thread: Re: [Full-Disclosure] securing php
Next by thread: RE: [Full-Disclosure] securing php
Index(es):
- Date
- Thread