lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030819225109.O49358-100000@vapid.ath.cx>
From: lwc at vapid.ath.cx (Larry W. Cashdollar)
Subject: securing php

Justin,

I recommend for server security and stability sake in a production
environment, to run software on the platform it was developed on.  Atleast
in this case.  So you want to run apache? run it on a *nix variant.  I
have never run IIS so I can't compare it to Windows native http server.

At least what I have seen with software that has been ported from Windows
to UNIX (Solaris in this case) is the differences in security models tend
to fall through the cracks.  I suspect this case might be the same
the other way around.  The nativly written stuff has had longer to bake
etc...

-- Larry C$

"Justin Shin" <zorkshin@...pabay.rr.com> wrote:

> Hi all --
>
> I have a friend that owns a web hosting company and recently he asked me to
> check up on his security ... I found that PHP scripts could access,
>modify, etc. anything on the drive. Of course, this is because PHP was
>invoked by apache, which is being run as a root user (Administrator, he
>runs apache on win2k3 for some odd reason) but I do not know the remedy.
>How could he set up his apache/PHP so that only the users of his web
>hosting service could "do stuff" to their own web directories. I know I
>am not explaining this well, but I think you get the picture :) I also
>know there is a simple solution to this, I googled it though and I
>couldn't find it.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ