Hi,Does no one use cgi wrap anymore? I thought that the best way to handle this kind of thing is to run PHP as a CGI first off, and then use something like wrap to isolate users. Yes, lesser performance, but people running on shared servers get what they pay for, and it certainly makes sense to take their security first and performance second.
Eric At 06:55 PM 5/8/2005, Gary W. Smith wrote:
Here is the explanation as you have already presented it: All users sites are owned by httpd There are multiple user sites, we'll say a-z. Site a is running PHPbb with a version known to be buggy. Someone issues a hack against site a. The hack says modify site b-z. Apache says, why not, I own the files so I can. User from site j complains because site is hacked. The rule of thumb is that apache can edit any file it has read/write access to. What we have done in the past to prevent this. We have multiple sites running on single boxes and ensure that this doesn't happen by having the files owned by the user with read-only access to apache (r/w is assigned by the users at their own risk, usually only to directories they need to upload to). If you users fail to update their versions of phpbb there isn't much you can but it you are also not responsible for their failure to do so. We also turn on open base dir per virtual instance (all on one line). php_admin_value open_basedir "/tmp: /home/whateveruser/html: /usr/local/horde: /usr/local/lib" This might help, but it won't hurt! > ----- Original Message ----- > From: "Mathew Thomas" <mathew.thomas@xxxxxxxxxxx> > To: <users@xxxxxxxxxxxxxxxx> > Sent: Sunday, May 08, 2005 8:23 PM > Subject: Re: [users@httpd] Hacked the website replace the index.hm page > > > Hi Tim, > > Could you please explain it bit more. There is no connection between the > hacked website and phpBB website.( both are different virtual host). We > are > using php version 4.3.9. Do you mean upgrade php? > > Thanks > Mathew > > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|