lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <28915501A44DBA4587FE1019D675F983093A7E@grfint.intern.adiscon.com>
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Subject: securing php

Apache does not need to run as Administrator under Win32. In fact, the Apache folks recommend NOT to do this. It is on by default, so that it fits into the "W?ndows security model". See the Apache web site for how to run it under a different user - they have doc (but I don't have the link right now;)).

Keep in mind, though, that even when run as a non-admin, Apache requires some considerate priveleges. If not done so, please also check on PHPs safe mode (far from bullet-proof, but another hurdle)....

Rainer

> -----Original Message-----
> From: Paul Schmehl [mailto:pauls@...allas.edu] 
> Sent: Wednesday, August 20, 2003 4:09 AM
> To: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] securing php
> 
> 
> --On Tuesday, August 19, 2003 20:10:48 -0400 Michael Gale 
> <michael@...esuperman.com> wrote:
> >#
> > User nobody
> > Group #-1
> > </IfModule>
> > </IfModule>
> > --snip--
> >
> > I am not sure if the windows version has this option - it may have
> > something similar.
> 
> I'm not sure why you would *want* to run Apache on Windows, 
> but I'm certain 
> that it would have the same options as *nix where possible.  
> If you're 
> insistent in running a web server on Windows, Apache is 
> probably the better 
> choice, though.
> 
> The problem with Windows is that the concept of running servers as 
> unprivileged users or starting a daemon as root and then dropping 
> privileges doesn't correspond one to one with the *nix security model.
> 
> Paul Schmehl (pauls@...allas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ