httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject PHP and other security problems - a solution idea
Date Mon, 22 Apr 2002 08:15:36 GMT
Hi to everyone,

Working for an ISP with a few mass-hosting servers (a couple thousand
domains), I'm currently trying to find solutions to some of the security
problems this scenario entails.

One being how to set up a secure environment that involved PHP or other
modules where suexec doesn't work.

The solution struck me as being easy, but it seems so obvious that I may
have missed something important, so please comment.

Idea: On handling a file, setuid() to owner of file. On closing connection,
re-engage original uid (nobody, apache, www-data, whatever it is). PHP will
run under user's UID, other users are save.

This would be maybe 10 lines of code. It can't be that easy, can it? What am
I missing?

Tom Vogt
Hansenet Webfarm Security 

View raw message