[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [d-security] Re: Apache + PHP and user permissions

On Tue, Jul 23, 2002 at 03:31:20PM +0200, Ralf Dreibrodt wrote:
> > What kind of security can I use to avoid this ? Can we chroot the PHP
> > (Yes I know it's a strange sentence :) ?
> 1. care about every service:
> use SuEXEC for CGIs, Safe Mode for PHP, a good directory and right
> structure.
A much better approach is using the "sbox" tool to not only chroot php but
every CGI binary (php will then be a cgi, too). It has the additional
benefit of having a unique UID for every user that runs php/cgi processes
so users can no longer play "killall -9" to shoot each other up...

> 2. chroot everything
> just chroot the users at the login after ssh (if you want to allow ssh),
> chroot apache (that means every user must have one apache-process), chroot
> ftp (what you have already done).
This will be a great loss of performance and a waste of server resources :-)


Christian Hammers    WESTEND GmbH - Aachen und Dueren     Tel 0241/701333-0
ch@westend.com     Internet & Security for Professionals    Fax 0241/911879
          WESTEND ist CISCO Systems Partner - Authorized Reseller

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: