Momchil Ivanov wrote:
[...]
- Web users and executed web scripts shouldn't be able to read other
users data
Solution:
run suPHP for php scripts as well as suEXEC for cgi-scripts
implement ufs_acl so that the www (Web Server) user can access any
user directory
Add a ufs_acl to the Web users home directory which says:
read-write-exec only from $owner and www
Those rights should have priority on any traditional unix file
system rights.
I believe the suphp will be a amazingly slow solution as it executes
php executable on each request, IIRC. Thus, the speed will not be
faster then php in cgi.
But is there any way to disbale related php functions? is there any well
defined configuration examples for mod_php?
Is this what you are looking for:
http://www.php.net/manual/en/features.safe-mode.php
<snip>
disable_functions string
This directive allows you to disable certain functions for security reasons.
It takes on a comma-delimited list of function names. disable_functions is
not affected by Safe Mode.
This directive must be set in php.ini For example, you cannot set this in
httpd.conf.
disable_classes string
This directive allows you to disable certain classes for security reasons. It
takes on a comma-delimited list of class names. disable_classes is not
affected by Safe Mode.
This directive must be set in php.ini For example, you cannot set this in
httpd.conf.
</snip>
[...]
There is PHP extension for better security called Suhosin. After
installation of this extension you have better control of what you want
to disable, or enable.
http://www.hardened-php.net/suhosin/configuration.html
Author of this extension was developer in PHP security team.
Miroslav Lachman
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
