Date: Sun, 25 Feb 2007 11:06:41 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> To: idiotbg@gmail.com Cc: Stanislav Sedov <stas@freebsd.org>, Alexis Susset <admin@munai.com>, freebsd-security@freebsd.org Subject: Re: Secure shared web hosting using MAC Framework Message-ID: <45E15FB1.90906@quip.cz> In-Reply-To: <200702212218.19806.idiotbg@gmail.com> References: <E6A3BDDE-909D-4217-A773-9C8106358CD2@munai.com> <20070221131421.1709206a.stas@FreeBSD.org> <20070221183154.GA14590@zone3000.net> <200702212218.19806.idiotbg@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Momchil Ivanov wrote: [...] >>> >>>>- Web users and executed web scripts shouldn't be able to read other >>>>users data >>>> Solution: >>>> run suPHP for php scripts as well as suEXEC for cgi-scripts >>>> implement ufs_acl so that the www (Web Server) user can access any >>>>user directory >>>> Add a ufs_acl to the Web users home directory which says: >>>> read-write-exec only from $owner and www >>>> Those rights should have priority on any traditional unix file >>>>system rights. >>> >>>I believe the suphp will be a amazingly slow solution as it executes >>>php executable on each request, IIRC. Thus, the speed will not be >>>faster then php in cgi. >> >>But is there any way to disbale related php functions? is there any well >>defined configuration examples for mod_php? > > > Is this what you are looking for: > http://www.php.net/manual/en/features.safe-mode.php > > <snip> > disable_functions string > > This directive allows you to disable certain functions for security reasons. > It takes on a comma-delimited list of function names. disable_functions is > not affected by Safe Mode. > > This directive must be set in php.ini For example, you cannot set this in > httpd.conf. > disable_classes string > > This directive allows you to disable certain classes for security reasons. It > takes on a comma-delimited list of class names. disable_classes is not > affected by Safe Mode. > > This directive must be set in php.ini For example, you cannot set this in > httpd.conf. > </snip> [...] There is PHP extension for better security called Suhosin. After installation of this extension you have better control of what you want to disable, or enable. http://www.hardened-php.net/suhosin/configuration.html Author of this extension was developer in PHP security team. Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45E15FB1.90906>