lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: jeremy at 33ad.org (jeremy@...d.org)
Subject: securing php

On Tue, Aug 19, 2003 at 05:51:46PM -0400, Justin Shin wrote:
> etc. anything on the drive. Of course, this is because PHP was invoked by
> apache, which is being run as a root user (Administrator, he runs apache on
> win2k3 for some odd reason) but I do not know the remedy. How could he set up
> his apache/PHP so that only the users of his web hosting service could "do
> stuff" to their own web directories. I know I am not explaining this well,

This is what you're looking for.   http://httpd.apache.org/docs-2.0/suexec.html

But, he needs to set the uid/gid of the apache process as a whole also.
Running it on windows/nix doesnt change that.

php safe_mode isn't a bad idea, but I think that the suexec will help you even
more.  I always try and give my users enough rope to hang themselves, but not
enough rope to hang me also (tough call sometimes).

jeremy

-- 
  Jereme Kelley <jeremy 33ad.org>
  All plenty which is not my God is poverty to me. -- Augustine.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ