|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #3450 Secuity Bug
Submitted: 2000-02-10 19:06 UTC Modified: 2000-05-22 04:10 UTC
From: argus at sover dot net Assigned:
Status: Closed Package: Other
PHP Version: 3.0.14 OS: BSDI 4.1
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
42 - 17 = ?
Subscribe to this entry?

 [2000-02-10 19:06 UTC] argus at sover dot net
We have php 3.0.14 running on a server with 1000+ virtual domains on it.  Apache is running suexec so that cgi scripts run as the user.  The system is also has quotas.  

A user called foo runs a php3 script that writes a file in his home directory.  The user can write a file any place on the server.  I thought about changing the doc_root to something, but each domain's doc root is in a very different location.  The file is NOT owned by the user and therefor does NOT go against their quota.  The file is owned by the user who the web server is running under (in our case www).  This account (www) does not have quotas, and concievably foo could write a log file that could fill up the hard drive in a very short amount of time.  

Is there a way to make php scripts run as a user, the way suexec does?  Is there a way that doc_root can be defined for each and every virtual domain?

I really don't want to run php as a CGI, it defeats the purpose in my mind.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2000-05-22 04:10 UTC] jimw at cvs dot php dot net
because of Apache's process model, it is not possible to run
scripts as different user ids using the PHP Apache module.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Jun 25 03:01:28 2024 UTC