Re: [d-security] Re: Apache + PHP and user permissions
On Tue, Jul 23, 2002 at 03:31:20PM +0200, Ralf Dreibrodt wrote:
> > What kind of security can I use to avoid this ? Can we chroot the PHP
> > (Yes I know it's a strange sentence :) ?
> 1. care about every service:
> use SuEXEC for CGIs, Safe Mode for PHP, a good directory and right
A much better approach is using the "sbox" tool to not only chroot php but
every CGI binary (php will then be a cgi, too). It has the additional
benefit of having a unique UID for every user that runs php/cgi processes
so users can no longer play "killall -9" to shoot each other up...
> 2. chroot everything
> just chroot the users at the login after ssh (if you want to allow ssh),
> chroot apache (that means every user must have one apache-process), chroot
> ftp (what you have already done).
This will be a great loss of performance and a waste of server resources :-)
Christian Hammers WESTEND GmbH - Aachen und Dueren Tel 0241/701333-0
email@example.com Internet & Security for Professionals Fax 0241/911879
WESTEND ist CISCO Systems Partner - Authorized Reseller
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com