Andrew Hutchings wrote:
> In article
> <7dd2dc0b0707041022k29aec05bxee83073a8e0d09cb@xxxxxxxxxxxxxx>quickshift
> in@xxxxxxxxx ("Nathan Nobbe") wrote:
>
>> ------=_Part_178329_18179255.1183569772294
>> Content-Type: text/plain; charset=ISO-8859-1;
>> format=flowedContent-Transfer-Encoding: 7bit
>> Content-Disposition: inline
>>
>> this is getting good; i want to know why its *flawed* now too.
>>
>> no pressure :)
>>
>
> OK, well, for example page 3 of the book suggests making PHP output
> errors into Apache's error_log. To do this on Linux it means PHP
> would have to be run as root.
huh? funny thing is that on all the machines I work with Apache runs under
it own user (apart from at start up when it briefly urns as root before switching),
I run php as an Apache module (I'm assuming we're not talking about php cli given that
we're mentioning Apache), this means php is running in the context of the apache user
... and btw is quite capable of logging to the Apache error_log
running php as a CGI probably means you can't have php (which is probably running in
the context of the site owners' user account) log to the general apache error_log but
in such cases I would assume that the server configuration included error and access logging
on a per (v)host basis.
seems like your spreading FUD - I doubt Chris Shiflett is perfect and I'm sure he's
probably made a few security mistakes of his own but your current example is not one of them
AFAICT.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
