Re: [cobalt-developers] php3 and security

["[Can-Host Networks] Félix C.Courtemanche" <webmaster@xxxxxxxxxxxx>]

Check in the PHP docs, there is a way to "manually" restrict how deep a user
can go with php3, you can enable or disable it for certain dirs, etc.  We
personaly set a base root for each of our clients using PHP3 so we are
certain that none can access anything under their web root.  Forthermore,
php3 is only activated on request too so its even more safe.
Good luck!
-----------
[ Félix C.Courtemanche | Web Designer ]
[ Head Designer | Co-Admin ]
[ webmaster@xxxxxxxxxxxx ]
[ Can-Host Networks | http://can-host.com ]

-----Message d'origine-----
De : Jose Luis Aguilar <jlaguilar@xxxxxxx>
À : cobalt-developers@xxxxxxxxxxxxxxx <cobalt-developers@xxxxxxxxxxxxxxx>
Date : 7 juin, 2000 01:29
Objet : [cobalt-developers] php3 and security


>Cobalt Developers,
>
>I just installed php3 with mysql and imap support on a Raq3 and everything
>seems to be working fine. Now my concern is about security. All .php3
>scripts run under the web server UID "httpd". This is a security risk,
since
>a lot of files on the raq3 are owned by httpd.
>
>Is there a way to use "cgiwrap" to run php3 scripts through it? or is there
>any other way to run .php3 scripts with the owner's permissions?
>
>Also, I remember Cobalt releasing an unofficial patch for the "httpd"
>ownership security hole. I believe they changed the ownership of most files
>to "nobody" instead of "httpd". Cobalt was supposed to release a official
>patch for this issue, but it has been awhile now, and I have not seen it.
>Where can I get the unofficial one?
>
>I searched the archives for the cobalt lists, and I was unable to find
>anything about this.
>
>Thanks for your help,
>
>Jose Aguilar
>
>
>_______________________________________________
>cobalt-developers mailing list
>cobalt-developers@xxxxxxxxxxxxxxx
>http://list.cobalt.com/mailman/listinfo/cobalt-developers
>