safely running php scripts
Jez Hancock
jez.hancock at munk.nu
Mon Jun 2 07:34:37 PDT 2003
On Mon, Jun 02, 2003 at 04:18:02PM +0200, Maarten de Vries wrote:
> Hi,
>
> I would like the php scripts that are hosted on my Apache server (FreeBSD
> 4.8), to run under the UID/GID's that belong to the useraccounts in
> question; not the webservers'.
> Before, I patched Apache so it ran php's under SuExec, but now the php
> standalonebinary port has disappeared, so that seems to be not an option
> anymore.
>
> Any pointers to set it all up in a safe manner again would be much
> appreciated!
Read up on safe_mode and open_basedir.
A sample vhost stub using the two in conjunction:
<VirtualHost *>
ServerName www.example.com
DocumentRoot /home/example/web
php_admin_value safe_mode 1
php_admin_value open_basedir /home/example/web
</VirtualHost>
the open_basedir line restricts users to only operating on files under
/home/example/web (ie stops users from 'snooping' on other user's
files).
The safe_mode line restricts the functionality of a large
number of PHP functions - not to mention checking that the user who owns
the script also owns the files the script attempts to operate on (this
is from memory though, checkout the chapter on safe mode in the manual
for detailed info).
AFAIK this is the closest PHP gets to running a script under the same
UID/GID as the user/group that owns the script.
More information about the freebsd-questions
mailing list