httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Res <...@ausics.net>
Subject Re: [users@httpd] Apache 2.2 security concern
Date Sat, 12 May 2007 22:24:28 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 12 May 2007, Dragon wrote:

> PHP provides for this directly.
>
> There is a restrict_base_dir setting that can be applied to each virtual host 
> that prevents users from accessing anything outside of the specified 
> directory tree.

Correct, everybody should be using this in a shared hosting environment, 
and also to tighten the reins furher should use disable_functions

The one I use and has given us no complaints except for some lame program 
that wants to know the system uptime stats, which has nothing to do with
a user anyway, even if it only wants it for the load, again, nothing to do 
with user, if the load gets high (above 5 on 15 min avge) we have alarms 
to let us know.

disable_functions = exec, shell_exec, system, virtual, show_source, 
readfile, passthru, escapeshellcmd, popen, pclose, phpinfo



- -- 

Cheers
Res

Vote for your favourite MTA at  http://polls.ausics.net/v3.php
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGRj6fsWhAmSIQh7MRAumRAKCf4eW3oY4sGAfEP0xewn/fZgGR8ACfaJuC
KQyQOYmGKCWvUUNNKQ1Dk9w=
=0tLW
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message