if the script is running as user "scott" group "scott",
then it can only alter/read/execute files that the user
"scott" has access to... nothing else.
of course, if you have user "scott", group "users",
and have user "tom" in group "users", then any files
that have the group read/write/exec permissions set
could possibly be "vulnerable" to other user's scripts.
> -----Original Message-----
> From: Aaron Bennett [mailto:[EMAIL PROTECTED]]
> Subject: RE: [PHP] PHP/Apache security question
>
> Does anyone know if SuExec plays "friendly" with PHP? From my recollection,
> when using suexec, it only alters the current UID/GID for scripts executed
> by httpd. Does PHP get treated the same way as would say a perl cgi script?
>
> I've looked a little at how phpwebhosting.com does it, and they set each
> user to their own unique primary group, and are (i believe) using suexec in
> their apache config setting each VirtualHost with their respective user and
> group... But does that really 'secure' everyone's code from other equally
> privileged users? :-?
>
> --
> Aaron Bennett
> [EMAIL PROTECTED]
>
>
> -----Original Message-----
> From: ..s.c.o.t.t.. [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, July 07, 2001 4:33 PM
> To: Php-General
> Subject: RE: [PHP] PHP/Apache security question
>
>
> of course that's possible... it's not default, but it's very possible
>
> i think it's an apache module called suEXEC
> that will run the script with the script owner's name.group,
> not apache.apache
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > Subject: [PHP] PHP/Apache security question
> >
> > Is there anything anyone can do about this? of course it would be ideal if
> > php would inherit uid/gid from the script file instead of the server
> > ownership but I think there is no way to accomplish this, so this is why
> > I am clueless.
> >
> > Oh, one more thingie: I have this CGI script here:
> >
> > #!/usr/bin/php
> > <html><head>.....
> > etc etc
> > ----------------
> >
> > I try to access it and the "security warning!" page appears. The
> > documentation sais that it's ok to use such CGI scripts, and warns the
> > user about the security threat of using the php binary as a CGI. Obviously
> > I am not using the php binary as a CGI, rather I am creating a CGI script
> > that's interpreted using the php binary, so what seems to be the problem
> > here?
> >
> > Thx a lot,
> > georgeb
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> >
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
