[2154] in linux-security and linux-alert archive
[linux-security] Re: php3 module and security
daemon@ATHENA.MIT.EDU (Peter H. Lemieux)
Mon May 10 12:52:12 1999
Date: Mon, 10 May 1999 10:20:57 -0400
From: "Peter H. Lemieux" <phl@cyways.com>
To: "Levy Carneiro Jr." <levy@fractal.com.br>
CC: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
When run as an Apache module, PHP inherits the uid and gid of the Apache
daemon, typically the user/group "nobody" or "httpd". To keep PHP out of
your files, just make sure they can't be seen by that user. This user's
file creation privileges determine where PHP files can write files. So if
the web server user is named "httpd," it should be able to write into
/home/httpd.
However, if you're managing a shared web server with multiple PHP users,
you'll probably want to invoke PHP's safe mode, which as you rightly point
out, is only available if PHP is compiled as a CGI binary, not as an Apache
module. I don't see that as much of a penalty, plus you can control access
to PHP by only giving copies of the binary to "trusted" users.
Peter
-----
Peter H. Lemieux Voice: (800) 5-CYWAYS
CYWAYS, Incorporated +1 (617) 796-8995
19 Westchester Road Fax: +1 (617) 796-8997
Newton, Massachusetts 02458-2519 USA Web: http://www.cyways.com
"Levy Carneiro Jr." wrote:
> If a user in a ISP create a file .php3 with read/write functions,
> he'll have permissions to read/overwrite some private files.
> I need a way to specify which directory will be viewed by the parser.
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
