|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #3450 Secuity Bug
Submitted: 2000-02-10 19:06 UTC Modified: 2000-05-22 04:10 UTC
From: argus at sover dot net Assigned:
Status: Closed Package: Other
PHP Version: 3.0.14 OS: BSDI 4.1
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: argus at sover dot net
New email:
PHP Version: OS:


 [2000-02-10 19:06 UTC] argus at sover dot net
We have php 3.0.14 running on a server with 1000+ virtual domains on it.  Apache is running suexec so that cgi scripts run as the user.  The system is also has quotas.  

A user called foo runs a php3 script that writes a file in his home directory.  The user can write a file any place on the server.  I thought about changing the doc_root to something, but each domain's doc root is in a very different location.  The file is NOT owned by the user and therefor does NOT go against their quota.  The file is owned by the user who the web server is running under (in our case www).  This account (www) does not have quotas, and concievably foo could write a log file that could fill up the hard drive in a very short amount of time.  

Is there a way to make php scripts run as a user, the way suexec does?  Is there a way that doc_root can be defined for each and every virtual domain?

I really don't want to run php as a CGI, it defeats the purpose in my mind.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2000-05-22 04:10 UTC] jimw at cvs dot php dot net
because of Apache's process model, it is not possible to run
scripts as different user ids using the PHP Apache module.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Jun 25 03:01:28 2024 UTC