Rico Secada wrote:
Hi. I have a webserver running with a couple of users as virtual hosts inApache.I read this article from IBM http://www.ibm.com/developerworks/opensource/library/os-php-secure-apps/index.html (look for "Guard your filesystem") and testet the PHP script on an Etch installation, and the script serves files such as /etc/passwd and others. What is the best and correct way to protect the server from users who might upload such a script on their web directory?
How can there be any way? If you allow users to upload executable scripts, you might as well give them ssh access and be done with it. You must enforce file create permissions on the upload system (ftp or whatever) which do not include 'execute' for any user or group.
Commercial web servers which offer scripting *do* normally also offer ssh access, but what the user has access to is only a virtual machine, not shared with anyone else. Chroot is nowhere near enough.
-- Joe