On 10.03.11 03:59, aaron...@comcast.net wrote: > While the setup Jim decribes is similar to what I have setup, The issue > still remains when a user uploads a PHPSHELL to there docment root and > access the server through the uploaded shell they are no longer operating > under the FTP user account. They are operating under the www-data account > which is the account apachie operates in. By doing so when using the > uploaded PHPSHELL you bypass the FTP and jail restrictions
What jail restrictions? of course when running PHP under under apache, the restrictions from FTP do not apply. Therefore you must configure PHP so other restrictions apply. > that prevent > you from seeing other peoples document root and have access to all > document roots on the system. Here is a PHPSHELL > http://phpshell.sourceforge.net/ upload and configure it. give it a try it > runs under the www-data account just like all other pages do. > > This issue would allow your PHP files to be viewed. This can be an issue > due to needing to have passwords in PHP scripts to access SOL databases > etc.. > > This issue could be resolved by making each virtualhost run under a different > account and jailing each account in a different jail. read my former mail, I think I have described everything you mention. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
