[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] PHP Security Questions RaQ4i

Got some questions regarding PHP security.

-I've set safe_mode to 'On'. Can't see any difference in my scripts. 
In what cases will other users w/ php scripts see differences?

-I'm going to start putting 
php_admin_value open_basedir /home/sites/sitex:/tmp
and 
php_admin_value dir_upload /home/sites/sitex
in the httpd.conf in the <virtualhost>...</virtualhost> entries for 
sites that use php. According to the archives, this should jail a 
script's file-opening permissions while still allowing them to upload 
files to the tmp directory.
Will users be able to override these values with an .htaccess file?

-I have my AllowOverride set to All. This is mainly because I want 
users to be able to do password-protected directories, set their own 
error pages, and turn Indexing on (I've got it off by default). 
What AllowOverride setting will permit these three things but *not* 
permit people to escape their open_basedir jails?  Will they still be 
able to use other php flags like auto_append and basedir_inc?

-With safe_mode on and the open_basedir set, should I still chmod my 
database included password file to 700?

-Should I turn magic_quotes_gpc off? I've got it on only because 
PhpMyAdmin bitches about it.

Yes, I know this is not strictly cobalt-related. However, the way 
things act on a Cobalt is different than vanilla systems, and the 
htaccess files specifically are funky on Cobalts as well as the base 
directory paths.

TIA ---  haven't been around for a while, been busy - HAPPY HOLIDAYS!
--
CarrieB
"Wherever is found what is called a paternal government, there is 
found state education. It has been discovered that the best way to 
insure implicit obedience is to commence tyranny in the nursery." 
--Benjamin Disraeli, British Prime Minister 1868 and 1874-1880