[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apache/PHP/FTP and user rights


A stub runs as root, yes, but all the threads that actually handle requests
are running as the correct non-priveleged user on my system.

I've never experienced a problem with cgi-php and very much doubt debian
would provide it as a package if it provided such a big hole.

Phillip Baker
LC Host Administrator

----- Original Message -----
From: "Marcin Sochacki" <wanted@gnu.univ.gda.pl>
To: <nbougues-listes@axialys.net>
Sent: Thursday, August 01, 2002 4:29 PM
Subject: Re: Apache/PHP/FTP and user rights

> On Thu, Aug 01, 2002 at 03:40:23PM +0200, nbougues-listes@axialys.net
> > I'm facing a problem I thought would be fairly easy to deal with, but
> > haven't found a proper solution. Here it is :
> >
> > We have a web werver hosting a few tens of customers using
> > VirtualHosts. We have mod_php and use FTP for updates, each customer
> > having its own UID.
> [...]
> > What we consider the "right" solution would be to have Apache run as
> > user.user in each virtual host. This seems to be doable with
> > User/Group directives. Unfortunatly :
> Apache doesn't honor those options in virtual host context, unless run
> as root and recompiled with some -DBIG_SECURITY_HOLE option.
> Obviously this is not a very secure solution.
> Take a look here:
> http://ftw.zamosc.pl/~lw/mdp/
> http://luxik.cdi.cz/~devik/apache/
> Wanted
> --
> To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact

Reply to: