From owner-freebsd-isp@FreeBSD.ORG  Wed Jul 27 06:58:44 2005
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
X-Original-To: freebsd-isp@freebsd.org
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5232216A41F
	for <freebsd-isp@freebsd.org>; Wed, 27 Jul 2005 06:58:44 +0000 (GMT)
	(envelope-from david@fundamentalit.com)
Received: from mail.fundamentalit.com (mail.fundamentalit.com
	[202.160.128.219])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8F30543D46
	for <freebsd-isp@freebsd.org>; Wed, 27 Jul 2005 06:58:43 +0000 (GMT)
	(envelope-from david@fundamentalit.com)
Received: from [203.206.239.179] (helo=dev)
	by mail.fundamentalit.com with esmtpa (Exim 4.50)
	id 1DxfsE-0000vx-6X; Wed, 27 Jul 2005 16:58:38 +1000
From: "David Hogan" <david@fundamentalit.com>
To: "'Thomas Krause'" <freebsd-isp@chef-ingenieur.de>
Date: Wed, 27 Jul 2005 16:58:50 +1000
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
In-Reply-To: <42E66986.4080004@chef-ingenieur.de>
Thread-Index: AcWSAjeU9HX2v7dETiaVKbQ7PkSMWQAdiLYQ
Message-Id: <20050727065843.8F30543D46@mx1.FreeBSD.org>
Cc: freebsd-isp@freebsd.org, "'Gustavo A. Baratto'" <gbaratto@superb.net>
Subject: RE: preventing a user to start a process
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2005 06:58:44 -0000

> Unfortunately, that is not possible. E.g. typo3 calls Imagemagick, so I
> need system().

Hmmm ... ok

are you aware you can override many php.ini settings on a per directory
basis or even per vhost basis (I think) ? If you didn't have too many
exceptions, you could deny system() globally, then allow it just for trusted
users or scripts.

Hope this is practical,
Dave