[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030819201048.6f35dec7.michael@bluesuperman.com>
From: michael at bluesuperman.com (Michael Gale)
Subject: securing php
Hello,
Do not use Microsoft product unless I have to so I am not sure if you can do this with IIS. I stick with slackware or BSD systems (open, net and Free).
On my slackware box I have apache install and in the config file there is the following option:
--snip--
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# . On SCO (ODT 3) use "User nouser" and "Group nogroup".
# . On HPUX you may not be able to use shared memory as nobody, and the
# suggested workaround is to create a user www and use that user.
# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
# when the value of (unsigned)Group is above 60000;
# don't use Group #-1 on these systems!
#
User nobody
Group #-1
</IfModule>
</IfModule>
--snip--
I am not sure if the windows version has this option - it may have something similar.
Michael.
On Tue, 19 Aug 2003 17:51:46 -0400
"Justin Shin" <zorkshin@...pabay.rr.com> wrote:
> Hi all --
>
> I have a friend that owns a web hosting company and recently he asked me to check up on his security ... I found that PHP scripts could access, modify, etc. anything on the drive. Of course, this is because PHP was invoked by apache, which is being run as a root user (Administrator, he runs apache on win2k3 for some odd reason) but I do not know the remedy. How could he set up his apache/PHP so that only the users of his web hosting service could "do stuff" to their own web directories. I know I am not expl
> aining this well, but I think you get the picture :) I also know there is a simple solution to this, I googled it though and I couldn't find it.
>
> -- Justin
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists