[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] PHP Safe Mode

Subject: [cobalt-users] PHP Safe Mode
From: "Steven Depuydt - www.BeNe.WS" <Steven@xxxxxxx>
Date: Tue Jan 21 03:45:03 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Hello List,

I had some security problems with my PHP installation.
Old Topic: HACK !! - PHP HTTP File Edito

I think that I have found a solution.

PER Virtual Site I have to add the following line in httpd.conf.

php_admin_value open_basedir /home/sites/siteXXX/web:/tmp
(The /tmp is needed for uploading files)

How can I do this with a script (I have 150 sites on my server) ? 
How can this line AUTOMATICALY be added with a NEW virtual site ? Or with a
script that runs from cron ?

Are there OTHER things that I have to install / configure to SECURE my
server ? I have a RAQ3 with the latest updates, MySQL & PHP
 
Regards,
 
Steven Depuydt
www.BeNe.WS 


> What can we do against this ?
>
> THANKS FOR YOUR COMMENTS !!

   Well, for one thing, we can STOP SCREAMING! Take a few deep breaths. Feel
better now? Good.

   First off, the HTML Editor isn't a, "HACK !!," it's a legitimate project
with source code available. It isn't terribly _useful,_ IMHO, since I've
seen
much better editors around, but it's perfectly servicable and nowhere near a
hazard or a problem.

   (*sigh*) To directly answer your question, I suggest you spend a few
minutes at the php.net website reading the documentation (novel idea, that),
especially the sections on security (specifically filesystem security),
configuration, and Safe Mode. I think you'll discover that although that
anyone with the editor might be able to, "BRWOSE & READ the COMPLETE
directory structure of *YOUR* server with his browser," that person couldn't
do any such thing to a properly-configured machine.

   If you'd like to see a PROPERLY configured example, go to the SorceForge
site for this project, and try to edit above the
/home/groups/p/ph/phphttpfileed/htdocs/testdrive/ directory:

http://phphttpfileed.sourceforge.net/index.php

   And _please,_ next time, do a little research before you proclaim that
the
sky is falling. Think, "RTFM."

         Charlie (who can't help but wonder if this is yet another
                   example of people installing "packages" which
                   they _think_ will take away their responsibility
                   to understand the software they install on their
                   server, and panicking when they discover it doesn't;
                   welcome to the world of the sysadmin)


_____________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.443 / Virus Database: 248 - Release Date: 10/01/2003
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.443 / Virus Database: 248 - Release Date: 10/01/2003

References:
- [cobalt-users] Re:- PHP HTTP File Editor
  - From: Charlie Summers

Prev by Date: Re: [cobalt-users] A few questions!
Next by Date: RE: [cobalt-users] Problem with PHP 4.2.3 on Sun Cobalt RaQ 550
Previous by thread: [cobalt-users] Re:- PHP HTTP File Editor
Next by thread: [cobalt-users] OT-Accounting/Billing

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index