| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: lwc at vapid.ath.cx (Larry W. Cashdollar) Subject: securing php Justin, I recommend for server security and stability sake in a production environment, to run software on the platform it was developed on. Atleast in this case. So you want to run apache? run it on a *nix variant. I have never run IIS so I can't compare it to Windows native http server. At least what I have seen with software that has been ported from Windows to UNIX (Solaris in this case) is the differences in security models tend to fall through the cracks. I suspect this case might be the same the other way around. The nativly written stuff has had longer to bake etc... -- Larry C$ "Justin Shin" <zorkshin@...pabay.rr.com> wrote: > Hi all -- > > I have a friend that owns a web hosting company and recently he asked me to > check up on his security ... I found that PHP scripts could access, >modify, etc. anything on the drive. Of course, this is because PHP was >invoked by apache, which is being run as a root user (Administrator, he >runs apache on win2k3 for some odd reason) but I do not know the remedy. >How could he set up his apache/PHP so that only the users of his web >hosting service could "do stuff" to their own web directories. I know I >am not explaining this well, but I think you get the picture :) I also >know there is a simple solution to this, I googled it though and I >couldn't find it.
Powered by blists - more mailing lists