Date: Wed, 20 Mar 2002 09:38:14 +0100 From: "Roland Dworschak" <roland.dworschak@i-sp.at> To: <freebsd-questions@FreeBSD.ORG> Subject: RE: Limit PERL opening file in a directory / PHP Message-ID: <IEEPKGPKMPPMPLMFAGHAOEGHCAAA.roland.dworschak@i-sp.at> In-Reply-To: <Pine.BSF.4.43.0203181931500.59799-100000@BigKing.sinp.msu.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, I was just wondering if there's something like SuEXEC for PHP. <roland -- Internet & System Products Roland Dworschak Netzadministration Ignaz Rieder Kai 13 A-5020 Salzburg Phone: +43 662 633434 11 Fax: +43 662 633434 14 eMail: roland.dworschak@i-sp.at Web: http://www.i-sp.com -----Original Message----- Subject: Re: Limit PERL opening file in a directory. Hi On Tue, 19 Mar 2002, Richard wrote: > I have a few virtual sites in my server. There is a security risk > that these users are able to open files that are not in his/her > directory by using PERL scripts because most of the system files > are set as everyone read. > > Now, I just made it work that the user can not open a file out > of his/her directory with PHP by adding php_admin_value open_basedir 'directory' > into apache configuration file. > > I want to implement the same limitation with PERL. > Also, I want to block some functions in PERL, such as system(). > > Is there any suggestion? Thank you. You shold better set propper permissions on files and directories. Apache's suExec is very handy if you need to restrict cgi script's permisions. chmod 750 /home/site1 chown -R site1:wwwguest /home/site1 chmod 750 /home/site2 chown -R site2:wwwguest /home/site2 in httpd.conf: === User wwwguest Group wwwguest <VirtualHost site1_ip> User site1 Group site1 </VirtualHost> <VirtualHost site2_ip> User site1 Group site1 </VirtualHost> === So Apache will run as wwwguest and has the access to users files (readonly), but users script are run as their own uid/gid (cause SuExec does it), so they can't access another user's directory. -- Dmitry A. Mottl Network Administrator Skobeltsyn's Institute of Nuclear Physics Moscow State Unversity To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?IEEPKGPKMPPMPLMFAGHAOEGHCAAA.roland.dworschak>