From owner-freebsd-questions@FreeBSD.ORG  Thu Jul 12 07:13:17 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 1A55116A400
	for <freebsd-questions@freebsd.org>;
	Thu, 12 Jul 2007 07:13:17 +0000 (UTC) (envelope-from bsd@kajs.co.nz)
Received: from mail5.inspire.net.nz (mail.inspire.net.nz [203.114.168.5])
	by mx1.freebsd.org (Postfix) with ESMTP id B812913C457
	for <freebsd-questions@freebsd.org>;
	Thu, 12 Jul 2007 07:13:16 +0000 (UTC) (envelope-from bsd@kajs.co.nz)
Received: from localhost (unknown [10.0.168.8])
	by mail5.inspire.net.nz (Postfix) with ESMTP id 2259EDC45D
	for <freebsd-questions@freebsd.org>;
	Thu, 12 Jul 2007 19:13:13 +1200 (NZST)
Received: from mail5.inspire.net.nz ([10.0.168.5])
	by localhost (mail8.inspire.net.nz [10.0.168.8]) (amavisd-new,
	port 10024)
	with ESMTP id 4ay4UKxtCjMq for <freebsd-questions@freebsd.org>;
	Thu, 12 Jul 2007 19:09:58 +1200 (NZST)
Received: from jbox.kajs.co.nz (203-114-173-171.eth.sta.inspire.net.nz
	[203.114.173.171])
	by mail5.inspire.net.nz (Postfix) with ESMTP id F0B2ADC44E
	for <freebsd-questions@freebsd.org>;
	Thu, 12 Jul 2007 19:13:12 +1200 (NZST)
Message-ID: <4695D489.8050607@kajs.co.nz>
Date: Thu, 12 Jul 2007 19:13:13 +1200
From: Josh <bsd@kajs.co.nz>
User-Agent: Thunderbird 2.0.0.0 (X11/20070620)
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: ACL/MAC for shared host
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jul 2007 07:13:17 -0000

Hello there.

I have apache running php-cgi via fastcgi and suexec on a shared system. 
Each vhost has a SuexecUserGroup set to the user/group of normal system 
account ( which does not have shell access ) which owns the vhost.

Now. I was wondering what the best way of using MAC/ACL's to stop a 
uid:gid ( Suexec user/group ) from being able to run anything other than 
what php has to use, eg, so from php it cannot run system("ls /etc") or 
such like.

Anyone done this before?

It seems to be that not many people seem to care about php security on a 
shared host.

Any comments at all would be appriciated.

Cheers, Josh