[linux-security] Re: php3 module and security

["Peter H. Lemieux" <phl cyways com>]

When run as an Apache module, PHP inherits the uid and gid of the Apache
daemon, typically the user/group "nobody" or "httpd".  To keep PHP out of
your files, just make sure they can't be seen by that user.  This user's
file creation privileges determine where PHP files can write files.  So if
the web server user is named "httpd," it should be able to write into
/home/httpd.

However, if you're managing a shared web server with multiple PHP users,
you'll probably want to invoke PHP's safe mode, which as you rightly point
out, is only available if PHP is compiled as a CGI binary, not as an Apache
module.  I don't see that as much of a penalty, plus you can control access
to PHP by only giving copies of the binary to "trusted" users.

Peter


-----

Peter H. Lemieux                            Voice:      (800) 5-CYWAYS
CYWAYS, Incorporated                                 +1 (617) 796-8995
19 Westchester Road                         Fax:     +1 (617) 796-8997
Newton, Massachusetts 02458-2519 USA        Web: http://www.cyways.com



"Levy Carneiro Jr." wrote:
>         If a user in a ISP create a file .php3 with read/write functions,
> he'll have permissions to read/overwrite some private files.
> I need a way to specify which directory will be viewed by the parser.