Full Disclosure mailing list archives
Re: securing php
From: Michael Gale <michael () bluesuperman com>
Date: Tue, 19 Aug 2003 20:10:48 -0400
Hello, Do not use Microsoft product unless I have to so I am not sure if you can do this with IIS. I stick with slackware or BSD systems (open, net and Free). On my slackware box I have apache install and in the config file there is the following option: --snip-- # # If you wish httpd to run as a different user or group, you must run # httpd as root initially and it will switch. # # User/Group: The name (or #number) of the user/group to run httpd as. # . On SCO (ODT 3) use "User nouser" and "Group nogroup". # . On HPUX you may not be able to use shared memory as nobody, and the # suggested workaround is to create a user www and use that user. # NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET) # when the value of (unsigned)Group is above 60000; # don't use Group #-1 on these systems! # User nobody Group #-1 </IfModule> </IfModule> --snip-- I am not sure if the windows version has this option - it may have something similar. Michael. On Tue, 19 Aug 2003 17:51:46 -0400 "Justin Shin" <zorkshin () tampabay rr com> wrote:
Hi all -- I have a friend that owns a web hosting company and recently he asked me to check up on his security ... I found that PHP scripts could access, modify, etc. anything on the drive. Of course, this is because PHP was invoked by apache, which is being run as a root user (Administrator, he runs apache on win2k3 for some odd reason) but I do not know the remedy. How could he set up his apache/PHP so that only the users of his web hosting service could "do stuff" to their own web directories. I know I am not expl aining this well, but I think you get the picture :) I also know there is a simple solution to this, I googled it though and I couldn't find it. -- Justin _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- securing php Justin Shin (Aug 19)
- Re: securing php Michael Gale (Aug 19)
- Re: securing php Paul Schmehl (Aug 19)
- Re: securing php Larry W. Cashdollar (Aug 19)
- Re: securing php Evan Nemerson (Aug 20)
- Re: securing php jeremy (Aug 20)
- <Possible follow-ups>
- RE: securing php Rainer Gerhards (Aug 20)
- Re: securing php Michael Gale (Aug 19)