On Sat, Mar 15, 2003 at 01:00:18AM +0900, Nathan Ollerenshaw wrote:I wasn't thinking of anything radical. Just have a hook to set the handler for a particular document (if it matches .php or .php4) to the PHP module if it's allowed to, and serve it as a normal document if not. Etc.
I've not had a great delve in the hooks but nothing has suggested in what I've looked at that it's not possible.
I'm not sure if it's as simple as you describe. What is to stop a user from placing a .htaccess file in a directory giving himself ability to give the right content type to execute a php script for instance? If you want suexec to work too, there might be further complications. (Just thinking out loud here) :)
You bring up a valid point, but I was thinking more of sbox. Thats what use use currently (because suexec didn't fit our model) and it works great. Though, there seems to be a bug where it's poisoning the environment ...
At any rate, if I'm interfering around the URI-to-filename translation phase first, I should be able to minimise any problems with .htaccess files. But, I don't know, I don't fully understand all the phases that I can interfere with just yet :)
There are other phases I've not really looked at as well which I could hook into to do extra sanity checks, I guess. But, I think, get the thing basically working, then narrow down all the annoying security holes it will make, eh?
I really need to get a proof-of-concept working; maybe this weekend if
my other half gives me a 'allowed to use computer' note for the teacher.
What would you consider a proof-of-concept? I have my code lurking on some
machine in cvs if you want to take a look at it.
If my feeble coding skills are up to it :) I've requested a new sf.net project, so in a couple of days I should be able to put up my hacky bits of code.
Really, I only started programming C with a vengeance about a week ago. I'm an old perl hacker, and never felt a need to use C. So fear my code. Expect apache to segfault. ;)
Nathan.
-- Nathan Ollerenshaw - Systems Engineer - Shared Hosting ValueCommerce Japan - http://www.valuecommerce.ne.jp
I'm your blubber boy you should rub me The sun beat me down too viciously I fell into the ground to what I used to be I've melted away I'm nothing again
