Join Up! 104882 members and counting!

Login To PHPBuilder User Name: Password: Register A New Site Account * NOTE: This is for logging into the main site only! To login to the forums, click here

Linux Today Enterprise Linux Today Apache Today JustLinux.com Linux Planet PHPBuilder All Linux Devices Hiermenus DatabaseJournal Technology Jobs Covalent Extends Apache 2.0 to Microsoft ASP.NET ShopWorX - Support for Windows PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1 Network Risk Assessment Full-Featured, Java-Based Apache GUI Another Look: Cached Dynamic Modules Using the PEAR Pager Package to Paginate MySQL Results Session Management and Authentication with PHPLIB Using PHP for the Creation of SVG Images Contribute 3 Software Review

php3-list | 199901

From: Richard Lynch (lynch <email protected>)
Date: 01/15/99

• Next message: a. otto: "[PHP3] add data from forms to a database"
• Previous message: Rasmus Lerdorf: "Re: [PHP3] PHP Security"
• Maybe in reply to: Daniel Pocock: "[PHP3] PHP Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 10:46 PM 1/14/99, Tommy Williams wrote:
>On Thursday, January 14, 1999, 7:26 PM -0600 Chad Cunningham
><ccunning <email protected>> wrote:
>
>> The best way to handle it if you just have one person that you're worried
>> about protecting is to create a group with just you and the user that the
>> web server runs as in it. Then just chmod 770 all your files. The files
>> are parsed before being sent to the client, so people on the net won't be
>> able to get at it. And, you're never safe from a good hacker :)
>
>But that still doesn't protect you from other people writing PHP on the
>same machine. When their PHP code runs, it will be as the same user as the
>Web server. So, if they can figure out where your file is (they can get the
>include path from phpinfo() ), they can write a simple script to read it
>and output it to their browser.
>
>You can run the CGI in safe mode and get some protection, but the only true
>way to fix it is to run a different set of httpd processes with different
>access rights for every user with PHP access. With the way shared memory
>works on modern machines, it actually shouldn't be a big hit on the server.

Running the CGI (all CGIs) through suExec would also protect users from
each other, as I (sorta) understand it.

Not that I wouldn't rather have my own httpd with the stuff I want in it
(PHP) and without the crap I don't need (FrontPage)...

-- "TANSTAAFL" Rich lynch <email protected> webmaster@ and www. all of:
R&B/jazz/blues/rock - jademaze.com music industry org - chatmusic.com
acoustic/funk/world-beat - astrakelly.com sculptures - olivierledoux.com
my own nascent company - l-i-e.com cool coffeehouse - uncommonground.com

--
PHP 3 Mailing List   http://www.php.net/
To unsubscribe send an empty message to php3-unsubscribe <email protected>
To subscribe to the digest list:  php3-digest-subscribe <email protected>
For help: php3-help <email protected>  Archive:  http://www.php.net/mailsearch.php3
List administrator:  zeev <email protected>

• Next message: a. otto: "[PHP3] add data from forms to a database"
• Previous message: Rasmus Lerdorf: "Re: [PHP3] PHP Security"
• Maybe in reply to: Daniel Pocock: "[PHP3] PHP Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Columns / Articles | Tips / Quickies | News | News Linking and RSS Feeds | Shared Code Library Mail Archives | Support / Discussion Forums | Get Started! Links | Contribute! | Docs