An apology... > On 10.03.11 03:59, aaron...@comcast.net wrote: > > While the setup Jim decribes is similar to what I have setup, The issue > > still remains when a user uploads a PHPSHELL to there docment root and > > access the server through the uploaded shell they are no longer operating > > under the FTP user account. They are operating under the www-data account > > which is the account apachie operates in. By doing so when using the > > uploaded PHPSHELL you bypass the FTP and jail restrictions > > What jail restrictions? of course when running PHP under under apache, the > restrictions from FTP do not apply. Therefore you must configure PHP so > other restrictions apply. > > > that prevent > > you from seeing other peoples document root and have access to all > > document roots on the system. Here is a PHPSHELL > > http://phpshell.sourceforge.net/ upload and configure it. give it a try it > > runs under the www-data account just like all other pages do. > > > > This issue would allow your PHP files to be viewed. This can be an issue > > due to needing to have passwords in PHP scripts to access SOL databases > > etc.. > > > > This issue could be resolved by making each virtualhost run under a > > different account and jailing each account in a different jail.
On 06.04.11 11:39, Matus UHLAR - fantomas wrote: > read my former mail, I think I have described everything you mention. sorry for my ignorance. I forgot I'm in lag (illnes etc) and haven't seen your post before (seems due to broken threading). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
