Virtual Hosting Security
Adam Maloney
adamm at sihope.com
Tue Jul 29 10:43:26 PDT 2003
> the problem is that we offer php4 as a mod_php4 for Apache and even
> though we didnt had (yet) no problem in theory is ease to set up a php
> script using filesystem functions to run, list and view file contents
> of other users...cause the script is runing as www user and this user
> has permissions to enter/read all users www directory.... how can i
> fix this? must i use suexec? does it run properly? do i have to put
> php as cgi only? what is the tradeoff in performance?
Last I checked into it, running it as CGI with suexec was the only "safe"
way to do it (although I think you can disable some of the dangerous
functions). I haven't looked into it in awhile though, so maybe this has
been addressed.
More information about the freebsd-isp
mailing list