Carilda Thomas wrote:
>
> Without delving into source, it appears that the midgard module (and/or
> the php module?) start up before the change-user-id in apache.
I believe that the module indeed starts up before the change but issues
the setuid immediately after initialization -- before any actual
processing takes place.
> The consequence of this is that if I have php includes, the include file
> must be owned by root. Part of my design and content management for AOL
> users^H^H^H^H^H^H^H^H^newbies allows them to upload a file (e.g., a page
> created by a tool such as word-to-html conversion or excel-to-html
> conversion) and put the filename in a designated field in article. The
> page code tests for this and will include instead of execute.
Odd. When I do a touch in a php file the ownership is exactly what I
would expect for my setup (nobody/nogroup). I don't think PHP page
inclusion,
which is part of normal PHP processing, would occur during module
initialization. It shouldn't anyway.
> However, I find that these include files must be owned by root. I
> really don't like this since someone could upload a file containing code
> that then operates as root.
Even if for some stupid design decision the includes should indeed be
owned by root that does not necesarily mean the scripts will be run as
root. A simple php script that touches a file in /tmp will tell you as
what user the script is running.
> I don't want to turn off safe-mode (>>>> this <<<< is >>>>safe????<<<<),
> and I don't want to turn off execCGI in the include directory.
Still, file ownership shouldn't affect the user a script runs as.
> I could create two directories -- one for flat HTML includes and one for
> php includes that have to be chown'ed to root, but this is still a
> kludge.
True.
> P.S. Always assume a user knows at least enough to be dangerous....
"Only the paranoid will survive"
emile
--
This is The Midgard Project's mailing list. For more information,
please visit the project's web site at http://www.midgard-project.org
To unsubscribe the list, send an empty email message to address
[EMAIL PROTECTED]
