Full Disclosure mailing list archives
Re: securing php
From: jeremy () 33ad org
Date: Wed, 20 Aug 2003 18:41:00 -0500
On Tue, Aug 19, 2003 at 05:51:46PM -0400, Justin Shin wrote:
etc. anything on the drive. Of course, this is because PHP was invoked by apache, which is being run as a root user (Administrator, he runs apache on win2k3 for some odd reason) but I do not know the remedy. How could he set up his apache/PHP so that only the users of his web hosting service could "do stuff" to their own web directories. I know I am not explaining this well,
This is what you're looking for. http://httpd.apache.org/docs-2.0/suexec.html But, he needs to set the uid/gid of the apache process as a whole also. Running it on windows/nix doesnt change that. php safe_mode isn't a bad idea, but I think that the suexec will help you even more. I always try and give my users enough rope to hang themselves, but not enough rope to hang me also (tough call sometimes). jeremy -- Jereme Kelley <jeremy 33ad.org> All plenty which is not my God is poverty to me. -- Augustine. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- securing php Justin Shin (Aug 19)
- Re: securing php Michael Gale (Aug 19)
- Re: securing php Paul Schmehl (Aug 19)
- Re: securing php Larry W. Cashdollar (Aug 19)
- Re: securing php Evan Nemerson (Aug 20)
- Re: securing php jeremy (Aug 20)
- <Possible follow-ups>
- RE: securing php Rainer Gerhards (Aug 20)
- Re: securing php Michael Gale (Aug 19)