lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: michael at bluesuperman.com (Michael Gale)
Subject: securing php

Hello,

	Do not use Microsoft product unless I have to so I am not sure if you can do this with IIS. I stick with slackware or BSD systems (open, net and Free).

On my slackware box I have apache install and in the config file there is the following option:

--snip--
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
#  . On SCO (ODT 3) use "User nouser" and "Group nogroup".
#  . On HPUX you may not be able to use shared memory as nobody, and the
#    suggested workaround is to create a user www and use that user.
#  NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
#  when the value of (unsigned)Group is above 60000;
#  don't use Group #-1 on these systems!
#
User nobody
Group #-1
</IfModule>
</IfModule>
--snip--

I am not sure if the windows version has this option - it may have something similar.

Michael.

On Tue, 19 Aug 2003 17:51:46 -0400
"Justin Shin" <zorkshin@...pabay.rr.com> wrote:

> Hi all --
> 
> I have a friend that owns a web hosting company and recently he asked me to check up on his security ... I found that PHP scripts could access, modify, etc. anything on the drive. Of course, this is because PHP was invoked by apache, which is being run as a root user (Administrator, he runs apache on win2k3 for some odd reason) but I do not know the remedy. How could he set up his apache/PHP so that only the users of his web hosting service could "do stuff" to their own web directories. I know I am not expl
> aining this well, but I think you get the picture :) I also know there is a simple solution to this, I googled it though and I couldn't find it.
> 
> -- Justin
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ