php-windows Digest 9 Apr 2001 03:18:08 -0000 Issue 534
Topics (messages 6565 through 6568):
Re: PHP as an Apache module
6565 by: Steve Prentice
6566 by: Phil Driscoll
Re: Security Win2000/PHP4/Apache 3.1.19 - help!
6567 by: Chris Adams
saving images which have been assigned a strange name
6568 by: Lars Eirik Rønning
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
"Phil Driscoll" <[EMAIL PROTECTED]> wrote in a message :
>
> As an interim position before I transfer most of my production sites from
> NT to Linux, it would be helpful for me to move from IIS to Apache, so
> that I can get everything in order for a quick switch to Linux.
>
> I am happy that Apache with PHP as a cgi is stable, but I have no
> experience with PHP as an Apache module on NT in a production environment.
>
> Has anyone got direct experience of this, and if so, is it rock solid
> stable, or should I expect some problems?
Hi Phil,
We run it on Win2000AdvSvr as a module, and so far not had any problems out
of it what so ever (touch wood).
The only thing that's just dawning on me is security with that type of a
setup, I cant yet work out how to stop a user from running php scripts that
could be used to delete anything they like on the system because apache
doesn't work with NT permissions.
Maybe if you find or know a solution you could let me know :-)
Steve
Thanks for the info. Your security problem is not so much of an issue for me
as I don't allow anyone else to run anything on my machine.
<guess mode>
I assume that Apache by default will probably run under the system account.
I suppose you could create an account with similar privileges, but set
permissions on all files (outside webroot) on your machine such that the new
account could not read/write or otherwise tamper with the files. Also,
there's probably something you could do with 'safe mode' to help - I've
never used it so I don't know what!
</guess mode>
Cheers
--
Phil Driscoll
Dial Solutions
+44 (0)113 294 5112
http://www.dialsolutions.com
http://www.dtonline.org
On 8 Apr 2001 08:02:44 -0700, Steve Prentice <[EMAIL PROTECTED]> wrote:
>Has anyone got any good ideas because this seems to be a very important
>issue, and we can't be the only people running win32 apache and php.
What user are you running Apache as? If it's a special account which low
privileges, a properly secured system (e.g. no Everyone "Full Control" on
important files) won't allow the users to do much in any case. This would, of
course, still allow any one of your web users to attack another web user.
To counter this, have you tried safe_mode / doc_root, disable_functions, and
open_basedir? safe_mode / doc_root / open_basedir allow you to restrict which
files can be opened and disable things like dl() or calling arbitrary binaries
on the system. disable_functions allows you to disable certain functions - e.g.
unlink() and friends. Setting these in each VirtualHost should significantly
complicate life for any attacker.
I have a problem . I have posted this earlier as well ,but no one seems to
be able to help me but here i go again.
I retrieve my images from a mysql db , but whenever i want to save the image
it has been assigned a name identical to my php page (without the extension
though)
eg. If you click on a picture and the name of the webpage is oneimage.php
the image will automatically have a save name = oneimage.
i have tried to add a name tag to the image, but it doesn't seem to work.
I thought there was an inbuild funtion which automatically kept control of
the imagename, but i might be wrong ?
Thanks
Lars Eirik
