Hello list,

I have a security problem to solve with my apache setup and I am clueless
at this moment...

My web server holds multiple domains and uses name-based virtual servers
to direct requests to different portions of the html tree for different
domain names (we presume only one IP is available). There are just a few
people storing content on the webserver to be served to the public and
everyone has access to php scripts. The server runs as apache.apache and
therefore all the files and dirs in the html tree are owned by group
apache so that the server can see them yet people cannot see anything but
their own files.

It has recently crossed my mind that anyone can write a very simple php
script to peek at everything that apache can see because any script is run
with the uid/gid inhereted from the webserver. Now, the html tree does not
contain any security-sensitive information, but I am sure that the clients
would not be happy to know that any other of my clients can see their
scripts and hidden information, like .htaccess-protected files or db files
generated by php or cgi scripts.

Is there anything anyone can do about this? of course it would be ideal if
php would inherit uid/gid from the script file instead of the server
ownership but I think there is no way to accomplish this, so this is why
I am clueless.

Oh, one more thingie: I have this CGI script here:

etc etc

I try to access it and the "security warning!" page appears. The
documentation sais that it's ok to use such CGI scripts, and warns the
user about the security threat of using the php binary as a CGI. Obviously
I am not using the php binary as a CGI, rather I am creating a CGI script
that's interpreted using the php binary, so what seems to be the problem

Thx a lot,

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to