> please hack apart this solution and point out the error/insecure nature of
> setup.
> goal, provide php access to name based virtual hosts on FreeBSD boxes
> problem, security of PHP access to base system and other user scripts
> solution,
> apache compiled with suexec
> # set user and group to unique
> chown USERID:USERID /path/to/user/html/directory

Make it -R in case any files managed to get in there before you did this.

> # no public access to any files under here that
> # you don't want public reading, like scripts
> # with database login information in them
> chmod -R 0750 /path/to/user/html/directory

You still ought to move those files outside the web-tree...

> # set group sticky execution...  we will run
> # apache as this unique group so may not be needed
> chmod g+s /path/to/user/html/directory

I don't grok this, so have no comment.

> >in apache's httpd.conf
> # set each virtual host to run any accesses
> # as the group USERID giving them only access
> # to this directory...  defeats PHP directory
> # and shell scripts as long as no public read bits
> # are set
> <virtual *>
> ServerName whatever.com
> Group USERID

Bzzzzzt.  Unless you are running Apache 2.0, this is ineffectual or
downright illegal syntax.  suExec will *ONLY* work with PHP CGI.  You'd have
to run a separate pool of httpd's for each user for this to work in Apache

At least, so I've been told a few times. :-)

You're welcome to try it, but don't do it on a public server.

WARNING [EMAIL PROTECTED] address is an endangered species -- Use
Wanna help me out?  Like Music?  Buy a CD: http://l-i-e.com/artists.htm
Volunteer a little time: http://chatmusic.com/volunteer.htm

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to