On Tue, Feb 25, 2003 at 10:15:15AM +0100, debian-isp wrote: > I am just asking myself how to secure our webserver with a couple of virtual hosts. > Currently we have a large installation of typo3 running. It has a feature called > fileadmin with which you can easily upload files. As it is thereby possible to > upload php scripts and execute via the browser it is to my opionion possible to > access other users files. As the webserver and the files all have the same user, > needed by the system. > Is there a way to secure this: > > - chrooting virtual hosts in apache ? > - running multiple instances of apache > - some kind of security system with users and groups > - using directory settings ? You can effectively chroot php files with: php_admin_value open_basedir /directory/where/files/are in the Apache virtual host config. Then: a) php4 won't let files outside that directory be accessed; b) apacheconfig will recognise php4 as being a required module, as apacheconfig recognises module requirements by checking for their configuration directives... :-) (See bug #158391) I realise this is php4 specific, but any other enabled scripting languages should also have a similar option. (If you're using the cgi version, then this might not work... Then of course you can use suexec or SetEnv PHPRC to do it... See bug #161627) -- ----------------------------------------------------------- Paul "TBBle" Hampson, MCSE 6th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) Paul.Hampson@Anu.edu.au Of course Pacman didn't influence us as kids. If it did, we'd be running around in darkened rooms, popping pills and listening to repetitive music. -- Kristian Wilson, Nintendo, Inc, 1989 This email is licensed to the recipient for non-commercial use, duplication and distribution. -----------------------------------------------------------
Attachment:
pgpCgG6So1FAn.pgp
Description: PGP signature