Rico Secada wrote:
Hi.
I have a webserver running with a couple of users as virtual hosts in
Apache.
I read this article from IBM
http://www.ibm.com/developerworks/opensource/library/os-php-secure-apps/index.html
(look for "Guard your filesystem") and testet the PHP script on an Etch
installation, and the script serves files such as /etc/passwd and
others.
What is the best and correct way to protect the server from users who
might upload such a script on their web directory?
How can there be any way? If you allow users to upload executable
scripts, you might as well give them ssh access and be done with it. You
must enforce file create permissions on the upload system (ftp or
whatever) which do not include 'execute' for any user or group.
Commercial web servers which offer scripting *do* normally also offer
ssh access, but what the user has access to is only a virtual machine,
not shared with anyone else. Chroot is nowhere near enough.
--
Joe
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
