----- Original Message ----- From: "Christopher X. Candreva" <[EMAIL PROTECTED]> To: "Gordon Hudson" <[EMAIL PROTECTED]> Sent: Friday, August 12, 2005 10:26 PM Subject: Re: [domains-gen] Securing CCS in a shared server environment
> On Fri, 12 Aug 2005, Gordon Hudson wrote: > >> Thats impossible as most hosts restrict open base directory for PHP so >> they >> cannot read files ouside the user account. > > That will stop PHP scripts from reading outside the account, but if the > same > host allows CGI for perl (or any other language) those will not be subject > to the same restrictions. > >> Plus most are using phpexec now. > > Is that anything like suphp -- www.suphp.org -- Basicly a module to do > suexec for PHP, though it appears to end up just running it as a CGI, > unless > it also caches interpreters per uid. > > Because yes, if you can run the PHP script as a specific user other than > nobody that is the solution. Its like suexec in that it runs the PHP scripts as the user who owns the account. SO if you have suexec for cgi and phpexec installed each process can be tracked. This is mainly used to prevent cgi scripts which write php scripts execute them then delete them, which is a common advanced spamming method now. phpexec causes very few problems for end users in my experience. I was sceptical at first, but it worked out very well for us. Safe mode is obviously the top solution but most customers can't cope with safe mode turned on so we use phpexec and mod_security with a big list of filters to prevent character substitution hacks beingused to inject things into scripts via post. Regards Gordon Hudson Hostroute.com Ltd www.hostroute.net ------------------------------------------------ _______________________________________________ domains-gen mailing list [email protected] http://discuss.tucows.com/mailman/listinfo/domains-gen
