Best thing to do is create a user for the webserver/php and run as this
user. You can then restrict the access of that user to specific areas. This
is OK if you are running a single server/domain model, but if running
virtual domains or multiplue websites, to secure the other peoples websites,
you'll need to have a server per website to stop roaming. I have tested
inhouse and with a poorly constructed PHP script, I can browse most file
systems, access other websites on the server and even write files to their
directories. If you are running a server and using PHP, then you need to do
a full security analysis of it before you launch it to the world, especially
on Win32. Not too bad if you're only hosting your own files and stuff, but
can become a nightmare if you have it open to the 'public' to upload their
php scripts.
"Erick Baum" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> We have been unable to secure our Windows 2000/IIS5 server from allowing
> people to open any file on our server that they want to if they know the
> path. The safe_mode doesn't really work on Windows. But I was told to
use
> the open_basedir option in our php.ini. I added this option and it had no
> effect on the ability for people to open files anywhere on the server. I
> tried numerous formats for the option, for example open_basedir =
> c:\inetpub\wwwroot open_basedir = "c:\inetpub\wwwroot" open_basedir =
.
> and on and on, with quotes, without quotes, forward slashes, backslashes,
> even without the drive letter more like a unix path and nothing seemed to
> work.
>
> Has anyone actually got this to work? If so, I would be very interested
to
> know what format you used for the option in the php.ini file. Or however
> else you managed to get this to work.
>
> Thanks,
> Erick
>
>
>
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
