[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Keeping the webserver safe

>From what I understand, /etc/passwd has to be world readable.  If I'm
wrong, correct me please.  If it's world readable, anyone can read it
unless you use a chroot or use OS containers like OpenVZ (they'd still
see the file, but it just wouldn't be the whole server's file).


On Sun, Oct 5, 2008 at 1:27 PM, Rico Secada <coolzone@it.dk> wrote:
> Hi.
> I have a webserver running with a couple of users as virtual hosts in
> Apache.
> I read this article from IBM
> http://www.ibm.com/developerworks/opensource/library/os-php-secure-apps/index.html
> (look for "Guard your filesystem") and testet the PHP script on an Etch
> installation, and the script serves files such as /etc/passwd and
> others.
> What is the best and correct way to protect the server from users who
> might upload such a script on their web directory?
> I don't want to run Apache in a chroot.
> Best regards.
> Rico
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: