httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mikkel Christensen <mik...@talkactive.net>
Subject Re: [users@httpd] Apache refuses to start when it's user is member of to many groups
Date Sat, 08 May 2004 09:51:20 GMT
On Saturday 08 May 2004 07:15, Mikkel Christensen wrote:
> On Saturday 08 May 2004 04:31, Gary Smith wrote:
> > Mikkel, 
> > The idea is for users data to be fairly secure without breaking Apache.
> > 
> > Does this make sense to this point?  If so, here is where the rest ties
> > in.  Using PHP's open_basedir users can only access files that are
> > within the authorized patch.  As the users home directory is in the path
> > they can see and access of all of there stuff.  What a user cannot do is
> > go into another users directory because it's outside their path.  This
> > applies to the system call as well.  If 'cat' isn't within the path for
> > open_basedir they cannot execute it.
> > 
> cat is allowed bo be executed though it is not within open basedir.
> All system commands are unless you specificly disable this in php.ini (or each virtual
host).
> Problem is that many are using unix commands so completely disabling it isn't an easy
sollution.
> Also open basedir does not perform any check on the information you pass to cat or whatever
program you are calling.
> I just tested this to be entirely sure. You have complete and unlimited access to all
that apache is capable og reading/writing/executing.
> 

Of course safe_mode can take care of this since it completely disables execution of any files
not in safe_mode_exec_dir...
But safemode is more than just open basedir, it comes with a lot of restictions.
Hmm but I guess it's the only sollution for the moment.

Maybe this will help when it's finished...: http://sourceforge.net/projects/moddiffprivs/

- Mikkel

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message