Virtual Hosting Security

[Kurt Jaeger]

Hi!

> the problem is that we offer php4 as a mod_php4 for Apache and
> even though we didnt had (yet) no problem in theory is ease to set
> up a php script using filesystem functions to run, list and view
> file contents of other users...cause the script is runing as www
> user and this user has permissions to enter/read all users www
> directory.... how can i fix this? must i use suexec? does it run
> properly? do i have to put php as cgi only? what is the tradeoff
> in performance?

Use jails. Any other solution will lead to a mess.

We're running similar setups and we are really sick of it 8-} and
will migrate to jails as soon as our support staff is through
with testing.

-- 
MfG/Best regards, Kurt Jaeger                                  17 years to go !
LF.net GmbH        fon +49 711 90074-23  pi at LF.net  
Ruppmannstr. 27    fax +49 711 90074-33
D-70565 Stuttgart  mob +49 171 3101372