From owner-freebsd-isp@FreeBSD.ORG  Tue Jul 29 10:43:26 2003
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0144537B404
	for <freebsd-isp@freebsd.org>; Tue, 29 Jul 2003 10:43:25 -0700 (PDT)
Received: from unix1.sihope.com (unix1.sihope.com [207.195.195.1])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9474343F75
	for <freebsd-isp@freebsd.org>; Tue, 29 Jul 2003 10:43:24 -0700 (PDT)
	(envelope-from adamm@sihope.com)
Received: from unix1.sihope.com (adamm@localhost.sihope.com [127.0.0.1])
	by unix1.sihope.com (8.12.9/8.11.6) with ESMTP id h6THhF1b013044;
	Tue, 29 Jul 2003 12:43:15 -0500 (CDT)
Received: from localhost (adamm@localhost)h6THhFLx013041;
	Tue, 29 Jul 2003 12:43:15 -0500 (CDT)
X-Authentication-Warning: unix1.sihope.com: adamm owned process doing -bs
Date: Tue, 29 Jul 2003 12:43:15 -0500 (CDT)
From: Adam Maloney <adamm@sihope.com>
To: =?iso-8859-1?Q?Marco_Gon=E7alves?= <marco@aces.pt>
In-Reply-To: <007d01c355f4$8e54a900$6b026b83@marco>
Message-ID: <Pine.BSI.4.05L.10307291241410.13779-100000@unix1.sihope.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: FreeBSD ISP List <freebsd-isp@freebsd.org>
Subject: Re: Virtual Hosting Security
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jul 2003 17:43:26 -0000

> the problem is that we offer php4 as a mod_php4 for Apache and even
> though we didnt had (yet) no problem in theory is ease to set up a php
> script using filesystem functions to run, list and view file contents
> of other users...cause the script is runing as www user and this user
> has permissions to enter/read all users www directory.... how can i
> fix this? must i use suexec? does it run properly? do i have to put
> php as cgi only? what is the tradeoff in performance?

Last I checked into it, running it as CGI with suexec was the only "safe"
way to do it (although I think you can disable some of the dangerous
functions).  I haven't looked into it in awhile though, so maybe this has
been addressed.