Date: Tue, 29 Jul 2003 20:05:11 +0200 From: Kurt Jaeger <lists@complx.LF.net> To: Marco =?iso-8859-1?Q?Gon=E7alves?= <marco@aces.pt> Cc: FreeBSD ISP List <freebsd-isp@freebsd.org> Subject: Re: Virtual Hosting Security Message-ID: <20030729180510.GH41025@complx.LF.net> In-Reply-To: <007d01c355f4$8e54a900$6b026b83@marco> References: <007d01c355f4$8e54a900$6b026b83@marco>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi! > the problem is that we offer php4 as a mod_php4 for Apache and > even though we didnt had (yet) no problem in theory is ease to set > up a php script using filesystem functions to run, list and view > file contents of other users...cause the script is runing as www > user and this user has permissions to enter/read all users www > directory.... how can i fix this? must i use suexec? does it run > properly? do i have to put php as cgi only? what is the tradeoff > in performance? Use jails. Any other solution will lead to a mess. We're running similar setups and we are really sick of it 8-} and will migrate to jails as soon as our support staff is through with testing. -- MfG/Best regards, Kurt Jaeger 17 years to go ! LF.net GmbH fon +49 711 90074-23 pi@LF.net Ruppmannstr. 27 fax +49 711 90074-33 D-70565 Stuttgart mob +49 171 3101372
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030729180510.GH41025>