Full Disclosure mailing list archives
RE: securing php
From: "Rainer Gerhards" <rgerhards () hq adiscon com>
Date: Wed, 20 Aug 2003 09:34:44 +0200
Apache does not need to run as Administrator under Win32. In fact, the Apache folks recommend NOT to do this. It is on by default, so that it fits into the "Wíndows security model". See the Apache web site for how to run it under a different user - they have doc (but I don't have the link right now;)). Keep in mind, though, that even when run as a non-admin, Apache requires some considerate priveleges. If not done so, please also check on PHPs safe mode (far from bullet-proof, but another hurdle).... Rainer
-----Original Message----- From: Paul Schmehl [mailto:pauls () utdallas edu] Sent: Wednesday, August 20, 2003 4:09 AM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] securing php --On Tuesday, August 19, 2003 20:10:48 -0400 Michael Gale <michael () bluesuperman com> wrote:# User nobody Group #-1 </IfModule> </IfModule> --snip-- I am not sure if the windows version has this option - it may have something similar.I'm not sure why you would *want* to run Apache on Windows, but I'm certain that it would have the same options as *nix where possible. If you're insistent in running a web server on Windows, Apache is probably the better choice, though. The problem with Windows is that the concept of running servers as unprivileged users or starting a daemon as root and then dropping privileges doesn't correspond one to one with the *nix security model. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- securing php Justin Shin (Aug 19)
- Re: securing php Michael Gale (Aug 19)
- Re: securing php Paul Schmehl (Aug 19)
- Re: securing php Larry W. Cashdollar (Aug 19)
- Re: securing php Evan Nemerson (Aug 20)
- Re: securing php jeremy (Aug 20)
- <Possible follow-ups>
- RE: securing php Rainer Gerhards (Aug 20)
- Re: securing php Michael Gale (Aug 19)