[thelist] PHP Perl Apache security
Keith
cache at dowebscentral.com
Tue Jul 22 16:08:51 CDT 2003
At 12:05 PM Monday 7/21/2003, Steve wrote:
>You don't need world-write permissions, you need the Apache user to have
>write permissions. Change owner or group on the PHP domains, turn on the
>correct write bit. Sandbox your PHP domains and your Perl domains
>separately with open_basedir and SuExec respectively.
I think you mis-understand PHP running as an Apache module. Running PHP
that way means that PHP gets it's permissions wherever Apache gets them
because PHP is running in Apache. If Apache gets it's permissions from the
world bit, so does PHP. In that case, PHP needs world write permissions to
write to a file.
>Perl cannot now write to files in PHP domains because they are no longer
>running as the Apache user. Simiarly, PHP domains cannot get out of their
>domain sandbox to write to Perl domains.
SuExec does not sandbox Perl in any way. SuExec simply runs a Perl process
as the owner of the script, nothing more. Running as the owner of the
script, Perl can write to any file owned by the same user with only 0600
permissions. BUT, Perl can still read any file on the server that has world
read permissions, such as httpd.conf, and also write to any file with world
write permissions, such as any file in any domain that had world write set
so PHP can write to it.
Keith
====================
cache at dowebscentral.com
More information about the thelist
mailing list