php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #3450 Secuity Bug
Submitted: 2000-02-10 19:06 UTC Modified: 2000-05-22 04:10 UTC
From: argus at sover dot net Assigned:
Status: Closed Package: Other
PHP Version: 3.0.14 OS: BSDI 4.1
Private report: No CVE-ID: None
 [2000-02-10 19:06 UTC] argus at sover dot net
We have php 3.0.14 running on a server with 1000+ virtual domains on it.  Apache is running suexec so that cgi scripts run as the user.  The system is also has quotas.  

A user called foo runs a php3 script that writes a file in his home directory.  The user can write a file any place on the server.  I thought about changing the doc_root to something, but each domain's doc root is in a very different location.  The file is NOT owned by the user and therefor does NOT go against their quota.  The file is owned by the user who the web server is running under (in our case www).  This account (www) does not have quotas, and concievably foo could write a log file that could fill up the hard drive in a very short amount of time.  

Is there a way to make php scripts run as a user, the way suexec does?  Is there a way that doc_root can be defined for each and every virtual domain?

I really don't want to run php as a CGI, it defeats the purpose in my mind.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2000-05-22 04:10 UTC] jimw at cvs dot php dot net
because of Apache's process model, it is not possible to run
scripts as different user ids using the PHP Apache module.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 17:01:29 2024 UTC