From owner-freebsd-isp@FreeBSD.ORG Wed Jul 27 14:01:56 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38F4B16A41F for ; Wed, 27 Jul 2005 14:01:56 +0000 (GMT) (envelope-from todor.dragnev@gmail.com) Received: from mail.sistechnology.com (torro.sistechnology.com [217.79.65.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id B807D43D45 for ; Wed, 27 Jul 2005 14:01:55 +0000 (GMT) (envelope-from todor.dragnev@gmail.com) Received: from localhost (localhost [127.0.0.1]) by mail.sistechnology.com (Postfix) with ESMTP id D12DD46BEC; Wed, 27 Jul 2005 17:01:51 +0300 (EEST) Received: from mail.sistechnology.com ([217.79.65.130]) by localhost (torro [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05520-02; Wed, 27 Jul 2005 17:01:49 +0300 (EEST) Received: from nova.sistechnology.com (unknown [192.168.7.3]) by mail.sistechnology.com (Postfix) with ESMTP id E6BFF46BE8; Wed, 27 Jul 2005 17:01:48 +0300 (EEST) From: Todor Dragnev To: "'Thomas Krause'" Date: Wed, 27 Jul 2005 17:01:46 +0300 User-Agent: KMail/1.6.2 References: <20050727065843.8F30543D46@mx1.FreeBSD.org> In-Reply-To: <20050727065843.8F30543D46@mx1.FreeBSD.org> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200507271701.46118.todor.dragnev@gmail.com> X-Virus-Scanned: by the vKeeper at sistechnology.com Cc: freebsd-isp@freebsd.org Subject: Re: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: todor.dragnev@gmail.com List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2005 14:01:56 -0000 Before years I do a lot of testings with LIDS and grsecurity on linux. With these tools is possible to set rules what system commands or which files(by inodes) can be accessed from user or process (pid or name). I have no experience with freebsd, but maybe it is possible to solve problem in same way. On Wednesday 27 July 2005 09:58, David Hogan wrote: > > Unfortunately, that is not possible. E.g. typo3 calls Imagemagick, so I > > need system(). > > Hmmm ... ok > > are you aware you can override many php.ini settings on a per directory > basis or even per vhost basis (I think) ? If you didn't have too many > exceptions, you could deny system() globally, then allow it just for > trusted users or scripts. > > Hope this is practical, > Dave > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"