httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stephan von Krawczynski <sk...@ithnet.com>
Subject Re: [users@httpd] How to run php with virtual host based uid/gid on apache2 ?
Date Thu, 26 Aug 2004 14:07:15 GMT
On Thu, 26 Aug 2004 15:39:59 +0200
"Robert Andersson" <robert@profundis.nu> wrote:

> Stephan von Krawczynski wrote:
> > Consider having a setup with around 2000 virtual hosts (with low average
> > traffic) on linux. Using suexec to provide uid/gid for CGI scripts works
> very
> > well. Only real security issue is php as it runs with apache default
> uid/gid.
> > How can one change that?
> 
> Your best bet is to run PHP as CGI (through SuExec, of course).

Well, if I got that right this isn't really an option, because you have to
change the php-scripts for that (include "#! /.../php" on top).
You cannot really explain that to several hundred people knowing that most of
them use php stuff they don't understand themselves.
 
> There are also some "safe options" in PHP that limits its permissions (what
> can be executed, files that can be written etc), but I'm not very familiar
> with securing PHP that way. You could probably read something about this in
> PHP's docs.

Not a real good option either. I checked that several times.
 
> You cannot get the module version of PHP to serve requests under different
> uid/gid without using the perchild MPM; which sadly isn't an option anyway.

Well, maybe it could be if something is done about the existing problems?

Regards,
Stephan

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message