Re: [d-security] Re: Apache + PHP and user permissions
On Tue, Jul 23, 2002 at 03:31:20PM +0200, Ralf Dreibrodt wrote:
> > What kind of security can I use to avoid this ? Can we chroot the PHP
> > (Yes I know it's a strange sentence :) ?
>
> 1. care about every service:
>
> use SuEXEC for CGIs, Safe Mode for PHP, a good directory and right
> structure.
A much better approach is using the "sbox" tool to not only chroot php but
every CGI binary (php will then be a cgi, too). It has the additional
benefit of having a unique UID for every user that runs php/cgi processes
so users can no longer play "killall -9" to shoot each other up...
> 2. chroot everything
> just chroot the users at the login after ssh (if you want to allow ssh),
> chroot apache (that means every user must have one apache-process), chroot
> ftp (what you have already done).
This will be a great loss of performance and a waste of server resources :-)
bye,
-christian-
--
Christian Hammers WESTEND GmbH - Aachen und Dueren Tel 0241/701333-0
ch@westend.com Internet & Security for Professionals Fax 0241/911879
WESTEND ist CISCO Systems Partner - Authorized Reseller
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: