Re: [PHP] security concerns with PHP4 module

Fri, 09 Mar 2001 18:37:53 -0800 

Read up on safe_mode at http://php.net

--
Visit the Zend Store at http://www.zend.com/store/
Wanna help me out?  Like Music?  Buy a CD: http://l-i-e.com/artists.htm
Volunteer a little time: http://chatmusic.com/volunteer.htm
----- Original Message -----
From: "Davydd Cook" <[EMAIL PROTECTED]>
Newsgroups: php.general
Sent: Friday, March 02, 2001 7:39 AM
Subject: [PHP] security concerns with PHP4 module


> Greetings, all.
>
> I'm a relative newcomer to PHP, looking into the possibilities of setting
up
> a LAMP (Linux, Apache, MySQL, PHP, and Perl) platform for a new web
server.
> We have everything set up and running currently, with PHP 4.04 running as
an
> Apache module.  We'd like to pitch this to the higher-ups as a good thing
> for our site and our customers (who would also be able to use PHP), but we
> first have to address some security concerns.
>
> Namely, we're thinking it would be nice for users to be able to write
> scripts which would generate and store files within their home
directories.
> However, because PHP runs as nobody, any such file would essentially need
> writable permission for every user.  This leaves any PHP-written file
> vulnerable to exploitation by anybody with a site on the server and some
> knowledge of PHP.
>
> Essentially, I'm wondering if there's any way in this situation for a PHP
> script to inherit the permissions of the user that owns it.  This would
> allow us (and our users) to write freely within the confines of our own
> directories.  Nice thought, but I'm really beginning to wonder if it's
> doable.
>
> Any input or suggestions which could be offered would be very much
> appreciated.  Thanks.
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to