On Tue, Aug 05, 2003 at 08:26:25PM +0000, Voytek Eymont wrote: > in a situation where I can have a user placing a potentially poorly > written PHP code in his webserver that is vhost on my box, what should one > be doing to protect the box from such mishaps, any suggestions to minimize > the potential risk ?
You're screwed. Safe mode will help, but it's a necessarily restrictive environment. I personally hate writing for it; it's quite an art... I recall something you could do to apache to make it run the script with the perms of the owner of the script, so if the user dumps insecure scripts on their site, the cracker can only screw with their own stuff, instead of everything owned by www-data. My recollection may be hazy, though. Auditing of scripts may be the least-worst option, or, if it's a commercial venture, make it very clear that anything the user puts on the server which subsequently compromises security will leave the user liable for all clean-up costs and some extra charges. Might help, and at least it won't leave you in the lurch. - Matt -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
