Hello,
Do not use Microsoft product unless I have to so I am not sure if you can do
this with IIS. I stick with slackware or BSD systems (open, net and Free).
On my slackware box I have apache install and in the config file there is the
following option:
--snip--
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# . On SCO (ODT 3) use "User nouser" and "Group nogroup".
# . On HPUX you may not be able to use shared memory as nobody, and the
# suggested workaround is to create a user www and use that user.
# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
# when the value of (unsigned)Group is above 60000;
# don't use Group #-1 on these systems!
#
User nobody
Group #-1
</IfModule>
</IfModule>
--snip--
I am not sure if the windows version has this option - it may have something similar.
Michael.
On Tue, 19 Aug 2003 17:51:46 -0400
"Justin Shin" <[EMAIL PROTECTED]> wrote:
> Hi all --
>
> I have a friend that owns a web hosting company and recently he asked me to check up
> on his security ... I found that PHP scripts could access, modify, etc. anything on
> the drive. Of course, this is because PHP was invoked by apache, which is being run
> as a root user (Administrator, he runs apache on win2k3 for some odd reason) but I
> do not know the remedy. How could he set up his apache/PHP so that only the users of
> his web hosting service could "do stuff" to their own web directories. I know I am
> not expl
> aining this well, but I think you get the picture :) I also know there is a simple
> solution to this, I googled it though and I couldn't find it.
>
> -- Justin
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
