In article <468BE67E.5050504@xxxxxxxxxxxxx> jochem@xxxxxxxxxxxxx(Jochem Maas) wrote: > > OK, well, for example page 3 of the book suggests making > PHP output > errors into Apache's error_log. To do this on Linux > it means PHP> would have to be run as root. > > huh? funny thing is that on all the machines I work with Apache > runs under it own user (apart from at start up when it briefly urns > as root before switching), I run php as an Apache module (I'm > assuming we're not talking about php cli given that we're mentioning > Apache), this means php is running in the context of the apache > user.... and btw is quite capable of logging to the Apache error_log Exactly, the initial process runs as root, and this is the process that does the logging, it would be another security issue to have your logs set as apache's owner. PHP is run as apache's user (unless you use something suPHP) so if you use PHP's error handler function (not the thing that sends data to the error logs) to write to apache's logs they would either have to be owned by apache or php would have to run as root. > running php as a CGI probably means you can't have php (which is > probably running in the context of the site owners' user account) > log to the general apache error_log but in such cases I would assume > that the server configuration included error and access loggingon a > per (v)host basis. Indeed, I was talking more mod_php side of things, which judging by the wording of the book is also the assumption made. > seems like your spreading FUD - I doubt Chris Shiflett is perfect > and I'm sure he's probably made a few security mistakes of his own > but your current example is not one of themAFAICT. You are entitled to your opinions, and I am entitled to mine. If you believe I am spreading FUD, so be it. But that example _is_ a security flaw. -- Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/ Windows is the path to the darkside...Windows leads to Blue Screen. Blue Screen leads to downtime. Downtime leads to suffering...I sense much Windows in you... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
