From owner-freebsd-isp@FreeBSD.ORG  Tue Jul 29 11:05:13 2003
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 370C037B401
	for <freebsd-isp@freebsd.org>; Tue, 29 Jul 2003 11:05:13 -0700 (PDT)
Received: from complx.LF.net (complx.LF.net [212.9.190.63])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9F48A43F3F
	for <freebsd-isp@freebsd.org>; Tue, 29 Jul 2003 11:05:12 -0700 (PDT)
	(envelope-from lists@complx.LF.net)
Received: from lists by complx.LF.net with local (Exim 4.14)
	id 19hYqV-000CHl-1n; Tue, 29 Jul 2003 20:05:11 +0200
Date: Tue, 29 Jul 2003 20:05:11 +0200
From: Kurt Jaeger <lists@complx.LF.net>
To: Marco =?iso-8859-1?Q?Gon=E7alves?= <marco@aces.pt>
Message-ID: <20030729180510.GH41025@complx.LF.net>
References: <007d01c355f4$8e54a900$6b026b83@marco>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <007d01c355f4$8e54a900$6b026b83@marco>
cc: FreeBSD ISP List <freebsd-isp@freebsd.org>
Subject: Re: Virtual Hosting Security
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: pi@LF.net
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jul 2003 18:05:13 -0000

Hi!

> the problem is that we offer php4 as a mod_php4 for Apache and
> even though we didnt had (yet) no problem in theory is ease to set
> up a php script using filesystem functions to run, list and view
> file contents of other users...cause the script is runing as www
> user and this user has permissions to enter/read all users www
> directory.... how can i fix this? must i use suexec? does it run
> properly? do i have to put php as cgi only? what is the tradeoff
> in performance?

Use jails. Any other solution will lead to a mess.

We're running similar setups and we are really sick of it 8-} and
will migrate to jails as soon as our support staff is through
with testing.

-- 
MfG/Best regards, Kurt Jaeger                                  17 years to go !
LF.net GmbH        fon +49 711 90074-23  pi@LF.net  
Ruppmannstr. 27    fax +49 711 90074-33
D-70565 Stuttgart  mob +49 171 3101372