httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tim Burden" <...@burden.ca>
Subject Re: [users@httpd] Security APACHE, PHP and CGI
Date Sat, 09 Apr 2005 16:18:19 GMT
If they are all owned by one account, couldn't owners of one subdomain just
FTP in and erase the files of some other owner?

----- Original Message ----- 
From: "Gare" <gare@wanadoo.es>
To: <users@httpd.apache.org>
Sent: Saturday, April 09, 2005 12:04 PM
Subject: [users@httpd] Security APACHE, PHP and CGI


> We have a site with several subdomains hosted, but the webmasters of these
> subdomains are not allowed to use their own CGI nor PHP.
> The box runs under Fedora with Apache 1.3, and webmasters of subdomains
are
> not users of the OS, they share the account of a user (the owner of the
main
> domain where subdomains are hosted).
> I would like to offer php and cgi support, but I am worried about
security.
> I know that PHP can be configured in secure mofe and that we can control
> access to directories.
> But CGI is too powerful, and a CGI program can access a lot of files in
the
> server.
> suExec is not a solution, because webmasters could access files in other
> subdomains (they share the same account).
>
> Is there any solution to host subdomains with php and cgi without
compromise
> server and subdomains security?
>
> thanks
>
>
>
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message