[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20030820234100.GA9359@33ad.org>
From: jeremy at 33ad.org (jeremy@...d.org)
Subject: securing php
On Tue, Aug 19, 2003 at 05:51:46PM -0400, Justin Shin wrote:
> etc. anything on the drive. Of course, this is because PHP was invoked by
> apache, which is being run as a root user (Administrator, he runs apache on
> win2k3 for some odd reason) but I do not know the remedy. How could he set up
> his apache/PHP so that only the users of his web hosting service could "do
> stuff" to their own web directories. I know I am not explaining this well,
This is what you're looking for. http://httpd.apache.org/docs-2.0/suexec.html
But, he needs to set the uid/gid of the apache process as a whole also.
Running it on windows/nix doesnt change that.
php safe_mode isn't a bad idea, but I think that the suexec will help you even
more. I always try and give my users enough rope to hang themselves, but not
enough rope to hang me also (tough call sometimes).
jeremy
--
Jereme Kelley <jeremy 33ad.org>
All plenty which is not my God is poverty to me. -- Augustine.
Powered by blists - more mailing lists