stormrider
New Member
Hello,
I just wanted to share this with you because i already had some serious problem ( wasn't hosting on knownhost yet ).
If you run multiple sites from different users and at least one of them uses PHP it might be a good idea to compile PHP as CGI.
Why?
If you are running php as Apache module them your php scripts run as the apache's user. Usually, the apache's user can access all other user's files ( otherwise it wouldn't be able to run the scripts ).
So all users can see the other user's files using php and you might know that is really common to find 777 permissions on files, indicating that files can be deleted too.
There's a feature called php open basedir which should restrict the access of a user on the system but i found out that this do not work with system() ( or shell_exec and other functions like this ).
Just try on your server, create a php file with the following content
<?php
system( 'ls -lh /home/' );
?>
You will see all user's home and will be able to access it ( using shell commands of course ).
I had the following problem in the past. Due to a bad designed script from a user anyone could run any shell command on the server ( using system(); ).
One "cracker" did something like:
About 20 accounts were totally deleted from the server and almost all accounts lost some files.
If you run as CGI + phpsuexec you'll find out that php scripts are runned as the user so they only see theirselves on the server ( even with system() ). If something like that inccident happen with this conf only the user that had the bad designed script will have files deleted.
I hope this helps someone.
I just wanted to share this with you because i already had some serious problem ( wasn't hosting on knownhost yet ).
If you run multiple sites from different users and at least one of them uses PHP it might be a good idea to compile PHP as CGI.
Why?
If you are running php as Apache module them your php scripts run as the apache's user. Usually, the apache's user can access all other user's files ( otherwise it wouldn't be able to run the scripts ).
So all users can see the other user's files using php and you might know that is really common to find 777 permissions on files, indicating that files can be deleted too.
There's a feature called php open basedir which should restrict the access of a user on the system but i found out that this do not work with system() ( or shell_exec and other functions like this ).
Just try on your server, create a php file with the following content
<?php
system( 'ls -lh /home/' );
?>
You will see all user's home and will be able to access it ( using shell commands of course ).
I had the following problem in the past. Due to a bad designed script from a user anyone could run any shell command on the server ( using system(); ).
One "cracker" did something like:
Code:
rm -rf /
If you run as CGI + phpsuexec you'll find out that php scripts are runned as the user so they only see theirselves on the server ( even with system() ). If something like that inccident happen with this conf only the user that had the bad designed script will have files deleted.
I hope this helps someone.