Re: Secure shared web hosting using MAC Framework
Momchil Ivanov wrote:
[...]
>>>
>>>>- Web users and executed web scripts shouldn't be able to read other
>>>>users data
>>>> Solution:
>>>> run suPHP for php scripts as well as suEXEC for cgi-scripts
>>>> implement ufs_acl so that the www (Web Server) user can access any
>>>>user directory
>>>> Add a ufs_acl to the Web users home directory which says:
>>>> read-write-exec only from $owner and www
>>>> Those rights should have priority on any traditional unix file
>>>>system rights.
>>>
>>>I believe the suphp will be a amazingly slow solution as it executes
>>>php executable on each request, IIRC. Thus, the speed will not be
>>>faster then php in cgi.
>>
>>But is there any way to disbale related php functions? is there any well
>>defined configuration examples for mod_php?
>
>
> Is this what you are looking for:
> http://www.php.net/manual/en/features.safe-mode.php
>
> <snip>
> disable_functions string
>
> This directive allows you to disable certain functions for security reasons.
> It takes on a comma-delimited list of function names. disable_functions is
> not affected by Safe Mode.
>
> This directive must be set in php.ini For example, you cannot set this in
> httpd.conf.
> disable_classes string
>
> This directive allows you to disable certain classes for security reasons. It
> takes on a comma-delimited list of class names. disable_classes is not
> affected by Safe Mode.
>
> This directive must be set in php.ini For example, you cannot set this in
> httpd.conf.
> </snip>
[...]
There is PHP extension for better security called Suhosin. After
installation of this extension you have better control of what you want
to disable, or enable.
http://www.hardened-php.net/suhosin/configuration.html
Author of this extension was developer in PHP security team.
Miroslav Lachman
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 6 之 7 篇):