httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sam Lavitt <...@lavitt.net>
Subject Re: [users@httpd] Apache 2.2 security concern
Date Sat, 12 May 2007 22:54:42 GMT
Res wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sat, 12 May 2007, Dragon wrote:
>
>> PHP provides for this directly.
>>
>> There is a restrict_base_dir setting that can be applied to each 
>> virtual host that prevents users from accessing anything outside of 
>> the specified directory tree.
>
>
> Correct, everybody should be using this in a shared hosting 
> environment, and also to tighten the reins furher should use 
> disable_functions
>
> The one I use and has given us no complaints except for some lame 
> program that wants to know the system uptime stats, which has nothing 
> to do with
> a user anyway, even if it only wants it for the load, again, nothing 
> to do with user, if the load gets high (above 5 on 15 min avge) we 
> have alarms to let us know.
>
> disable_functions = exec, shell_exec, system, virtual, show_source, 
> readfile, passthru, escapeshellcmd, popen, pclose, phpinfo
>
>
>
> - --
> Cheers
> Res
>
> Vote for your favourite MTA at  http://polls.ausics.net/v3.php
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFGRj6fsWhAmSIQh7MRAumRAKCf4eW3oY4sGAfEP0xewn/fZgGR8ACfaJuC
> KQyQOYmGKCWvUUNNKQ1Dk9w=
> =0tLW
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server 
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
Would it be a wise idea to combine suEXEC with restrictions such as that 
applied to php directly(and how could one go about that?)

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message