ACL/MAC for shared host

Josh bsd at
Thu Jul 12 07:13:17 UTC 2007

Hello there.

I have apache running php-cgi via fastcgi and suexec on a shared system. 
Each vhost has a SuexecUserGroup set to the user/group of normal system 
account ( which does not have shell access ) which owns the vhost.

Now. I was wondering what the best way of using MAC/ACL's to stop a 
uid:gid ( Suexec user/group ) from being able to run anything other than 
what php has to use, eg, so from php it cannot run system("ls /etc") or 
such like.

Anyone done this before?

It seems to be that not many people seem to care about php security on a 
shared host.

Any comments at all would be appriciated.

Cheers, Josh

More information about the freebsd-questions mailing list