On Wed, 30 Jun 2004 23:50:02 +0200, Marek Kilimajer <[EMAIL PROTECTED]> wrote: > > robert mena wrote --- napísal:: > > Hi, > > > > I host a few virtual domains in apache 2 and use php. > > > > The virtual domain is something like > > > > <VirtualHost a.b.c.d:80> > > ServerAdmin [EMAIL PROTECTED] > > DocumentRoot /home/httpd/html/domain.com > > ServerName www.domain.com > > ErrorLog logs/domain.com-error_log > > CustomLog logs/domain.com-access_log combined > > ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/ > > <Directory /home/httpd/html/domain.com/> > > AllowOverride AuthConfig Limit > > php_admin_value doc_root "/home/httpd/html/domain.com/" > > php_admin_flag safe_mode on > > php_admin_value open_basedir "/home/httpd/html/domain.com:/tmp/" > > </Directory> > > </VirtualHost> > > > > Recently I had a minor problem with a user that uploaded via ftp a php > > script in his domain and this domain used exec/system etc to call > > perl, read files. > > > > Shouldn't the settings above retrict such thing ? > > > > no, this setting affects only php, not programs executed from php
If you have safe mode on, you can set various things to stop this. One is safe_mode_exec_dir. You can specify a directory with binaries the users can run. Anything outside of that PHP won't run. Just set it to a path with no binaries (and no write access fromusers) and they won't be able to run outside programs unless you let them. You can also put some funcitons in disable_functions, such as system() and exec(), poper(), proc_open(), passthru(), and shell_exec(). Disabling shell_exec() also disables backticks (`) (I think). -- paperCrane --Justin Patrin-- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php