Date: Tue, 29 Jul 2003 12:43:15 -0500 (CDT) From: Adam Maloney <adamm@sihope.com> To: =?iso-8859-1?Q?Marco_Gon=E7alves?= <marco@aces.pt> Cc: FreeBSD ISP List <freebsd-isp@freebsd.org> Subject: Re: Virtual Hosting Security Message-ID: <Pine.BSI.4.05L.10307291241410.13779-100000@unix1.sihope.com> In-Reply-To: <007d01c355f4$8e54a900$6b026b83@marco>
next in thread | previous in thread | raw e-mail | index | archive | help
> the problem is that we offer php4 as a mod_php4 for Apache and even > though we didnt had (yet) no problem in theory is ease to set up a php > script using filesystem functions to run, list and view file contents > of other users...cause the script is runing as www user and this user > has permissions to enter/read all users www directory.... how can i > fix this? must i use suexec? does it run properly? do i have to put > php as cgi only? what is the tradeoff in performance? Last I checked into it, running it as CGI with suexec was the only "safe" way to do it (although I think you can disable some of the dangerous functions). I haven't looked into it in awhile though, so maybe this has been addressed.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.4.05L.10307291241410.13779-100000>