Apache + PHP and user permissions

To: debian-security@lists.debian.org
Subject: Apache + PHP and user permissions
From: StarK <stark@dioxygen.net>
Date: Tue, 23 Jul 2002 15:25:22 +0200
Message-id: <[🔎] 20020723132522.GA21262@patator.abris13.org>

Hello,

I'm helping someone to install a webserver, and we're trying to make it
a little secure. It's a Woody with Apache 1.3.26 and PHP 4.1.2. For the
users we have a ProFTPd with mod_sql (the users are in the database).

Currently all the site are set to user www-data and when the user access
with the FTP they are chrooted to their directory. My friend want me to
activate quota for every site. So I think I must set each site with a
real user as owner of the files. But with this, as Apache is launched as
www-data, users must set their directory to 701 and files to 604, I'm
right ? But in PHP, if they try to access other files from other usrers
with eventually some password... they are able to.

What kind of security can I use to avoid this ? Can we chroot the PHP
(Yes I know it's a strange sentence :) ?

Thanks to help me, and sorry for my (very) bad english.

-- 
StarK - Abris 13 - Confrérie Dioxygen
IRCNet : #O2
stark@abris13.org / stark@dioxygen.net
abris13.org / http://www.dioxygen.net/


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Apache + PHP and user permissions
  - From: Ralf Dreibrodt <rd@mesos.de>

Prev by Date: Re: Can you direct kernel messages?
Next by Date: Re: Apache + PHP and user permissions
Previous by thread: Re: Can you direct kernel messages?
Next by thread: Re: Apache + PHP and user permissions
Index(es):
- Date
- Thread