Re: Keeping the webserver safe

To: "Rico Secada" <coolzone@it.dk>
Cc: debian-security@lists.debian.org
Subject: Re: Keeping the webserver safe
From: "Dusty Wilson" <dusty@hey.nu>
Date: Sun, 5 Oct 2008 19:37:17 -0500
Message-id: <[🔎] 42670320810051737t6948f6dbi1d93fcf932c2b179@mail.gmail.com>
In-reply-to: <[🔎] 20081005202708.58cac505.coolzone@it.dk>
References: <[🔎] 20081005202708.58cac505.coolzone@it.dk>

>From what I understand, /etc/passwd has to be world readable.  If I'm
wrong, correct me please.  If it's world readable, anyone can read it
unless you use a chroot or use OS containers like OpenVZ (they'd still
see the file, but it just wouldn't be the whole server's file).

Dusty


On Sun, Oct 5, 2008 at 1:27 PM, Rico Secada <coolzone@it.dk> wrote:
> Hi.
>
> I have a webserver running with a couple of users as virtual hosts in
> Apache.
>
> I read this article from IBM
> http://www.ibm.com/developerworks/opensource/library/os-php-secure-apps/index.html
> (look for "Guard your filesystem") and testet the PHP script on an Etch
> installation, and the script serves files such as /etc/passwd and
> others.
>
> What is the best and correct way to protect the server from users who
> might upload such a script on their web directory?
>
> I don't want to run Apache in a chroot.
>
> Best regards.
>
> Rico
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

Reply to:

Follow-Ups:
- Re: Keeping the webserver safe
  - From: Jack T Mudge III <jakykong@theanythingbox.com>

References:
- Keeping the webserver safe
  - From: Rico Secada <coolzone@it.dk>

Prev by Date: Keeping the webserver safe
Next by Date: Re: Keeping the webserver safe
Previous by thread: Keeping the webserver safe
Next by thread: Re: Keeping the webserver safe
Index(es):
- Date
- Thread