PHP shell commands

To fix this scenerio, chroot would require different apache processes
running under different users.

On Jan 11, 2008 3:46 PM, Lucas Prado Melo <lucaspm@dcc.ufba.br> wrote:

> On Jan 11, 2008 2:16 PM, Daniel Brown <parasane@gmail.com> wrote:
> > Make sure you change the permissions on the directory in which
> > uploads are saved to be non-readable by anyone (including yourself, in
> > case the scripts are suexec'd).
> >
> > For example, if the directory in which you save uploaded files is
> > uploads/ then just do this (on a *nix box):
> > chmod 300 uploads
> >
> > That way, files can still be saved to the directory (which
> > requires write and execute privileges), but the files cannot be read
> > or executed via the web, and directory listing is implicitly denied
> > for all protocols (and local access) to anyone except root.
>
> The uploaded scripts must be executed via the web because it's a host...
> Maybe we could prevent scripts from certain folders to see other
> folders... (chroot?)
> Do you know how to do it in apache?
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

Where should I look for further help about mod_php?
How do I beg to someone add a feature in mod_php?

On Jan 11, 2008 8:00 PM, Nate Tallman <nate.tallman@connectivhealth.com> wrote:
> To fix this scenerio, chroot would require different apache processes
> running under different users.

Lucas Prado Melo wrote:
> Where should I look for further help about mod_php?
> How do I beg to someone add a feature in mod_php?
>
> On Jan 11, 2008 8:00 PM, Nate Tallman <nate.tallman@connectivhealth.com> wrote:
>> To fix this scenerio, chroot would require different apache processes
>> running under different users.
>

What feature would you think about adding to it?

--
Jim Lucas

"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."

Twelfth Night, Act II, Scene V
by William Shakespeare

On Jan 11, 2008 9:28 PM, Jim Lucas <lists@cmsws.com> wrote:
>
> What feature would you think about adding to it?
>
I think we should be able to set (editing httpd.conf in apache) which
folders are visible to any php script (including shell commands
written in it).
So, we could use Directory tags and set different rules to different
sets of files.
What do you think about it?

> -----Original Message-----
> From: lukepadawan@gmail.com [mailto:lukepadawan@gmail.com] On Behalf Of
> Lucas Prado Melo
> Sent: Friday, January 11, 2008 8:50 PM
> To: Jim Lucas
> Cc: php-general@lists.php.net
> Subject: Re: [php] PHP shell commands
>
> On Jan 11, 2008 9:28 PM, Jim Lucas <lists@cmsws.com> wrote:
> >
> > What feature would you think about adding to it?
> >
> I think we should be able to set (editing httpd.conf in apache) which
> folders are visible to any php script (including shell commands
> written in it).
> So, we could use Directory tags and set different rules to different
> sets of files.
> What do you think about it?

I guess what you are looking for is mod_suphp. STFW or ask the list, someone
will give you good hints for sure (sorry, have little time right now).

Rob

Andrés Robinet | Lead Developer | BESTPLACE CORPORATION
5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale, FL 33308
| TEL 954-607-4207 | FAX 954-337-2695
Email: info@bestplace.net | MSN Chat: best@bestplace.net | SKYPE:
bestplace | Web: http://www.bestplace.biz | Web: http://www.seo-diy.com

On Jan 12, 2008 4:12 AM, Andrés Robinet <agrobinet@bestplace.biz> wrote:
> I guess what you are looking for is mod_suphp. STFW or ask the list, someone
> will give you good hints for sure (sorry, have little time right now).
>
> Rob
Thanks, I will take a look.

Hi Lucas,

This is it http://www.suphp.org/Home.html. However, please bear in mind that
you may have some headaches after installing it. Some webmail scripts may
break, as well as existing websites, so you'd better off researching what
are the possible drawbacks.
My recommendation would be that if you work with a panel (Plesk, cPanel,
DirectAdmin, etc) you go to the panel's forums, because chances are high
that someone has already built a script to do the job for you, and you'll
also get answers to your questions before you run into trouble.
Also, I think there was a way of installing both PHP 4 and 5, one as CGI
(required by suPHP) and the other one as CLI so you could get the regular
PHP behaviour by setting up the corresponding VirtualHost.

For owr own domains we use PHP CLI only, as we control the code from top to
bottom, but for shared hosting, suPHP is recommended despite of the
headaches (mostly to your customers' poor PHP code, but in the end to your
support department)... though many hosting providers, just don't care and
run the risk (suPHP is not very old anyway).

Regards,

Rob

Andrés Robinet | Lead Developer | BESTPLACE CORPORATION
5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale, FL 33308
| TEL 954-607-4207 | FAX 954-337-2695
Email: info@bestplace.net | MSN Chat: best@bestplace.net | SKYPE:
bestplace | Web: http://www.bestplace.biz | Web: http://www.seo-diy.com

> -----Original Message-----
> From: lukepadawan@gmail.com [mailto:lukepadawan@gmail.com] On Behalf Of
> Lucas Prado Melo
> Sent: Saturday, January 12, 2008 8:50 AM
> To: Andrés Robinet
> Cc: php-general@lists.php.net
> Subject: Re: [php] PHP shell commands
>
> On Jan 12, 2008 4:12 AM, Andrés Robinet <agrobinet@bestplace.biz>
> wrote:
> > I guess what you are looking for is mod_suphp. STFW or ask the list,
> someone
> > will give you good hints for sure (sorry, have little time right
> now).
> >
> > Rob
> Thanks, I will take a look.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

On Thu, January 10, 2008 9:15 pm, Lucas Prado Melo wrote:
> Some php applications store database passwords into files which can be
> read by the user www-data.
> So, a malicious user which can write php scripts could read those
> passwords.
> What should I do to prevent users from viewing those passwords?

Get a dedicated box and don't have any untrusted users on it.

There really is no other solution:
If PHP can read the password to use it, then PHP can read the password
to use it, and the other user that can run PHP can do that.

Actually, somebody COULD set up a shared server with enough un-shared
resources, including a different set of HTTP children for each user,
and make this work, but it's a lot easier to find an affordable
dedicated server host than to dig into the details of every webhost
package.

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?