RE: [PHP] PHP/Apache security question

Sat, 07 Jul 2001 13:56:45 -0700 

Does anyone know if SuExec plays "friendly" with PHP? From my recollection,
when using suexec, it only alters the current UID/GID for scripts executed
by httpd. Does PHP get treated the same way as would say a perl cgi script?

I've looked a little at how phpwebhosting.com does it, and they set each
user to their own unique primary group, and are (i believe) using suexec in
their apache config setting each VirtualHost with their respective user and
group... But does that really 'secure' everyone's code from other equally
privileged users? :-?

--
Aaron Bennett
[EMAIL PROTECTED]


-----Original Message-----
From: ..s.c.o.t.t.. [mailto:[EMAIL PROTECTED]]
Sent: Saturday, July 07, 2001 4:33 PM
To: Php-General
Subject: RE: [PHP] PHP/Apache security question


of course that's possible... it's not default, but it's very possible

i think it's an apache module called suEXEC
that will run the script with the script owner's name.group,
not apache.apache

> -----Original Message-----
> From: [EMAIL PROTECTED]
> Subject: [PHP] PHP/Apache security question
> 
> Is there anything anyone can do about this? of course it would be ideal if
> php would inherit uid/gid from the script file instead of the server
> ownership but I think there is no way to accomplish this, so this is why
> I am clueless.
> 
> Oh, one more thingie: I have this CGI script here:
> 
> #!/usr/bin/php
> <html><head>.....
> etc etc
> ----------------
> 
> I try to access it and the "security warning!" page appears. The
> documentation sais that it's ok to use such CGI scripts, and warns the
> user about the security threat of using the php binary as a CGI. Obviously
> I am not using the php binary as a CGI, rather I am creating a CGI script
> that's interpreted using the php binary, so what seems to be the problem
> here?
> 
> Thx a lot,
> georgeb
> 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to