[HCS-D]mod_php alternatives? (and tonight's work)

Gregory Price gprice at hcs.harvard.edu
Mon Dec 6 01:07:57 EST 2004

I sent this to manager a short while ago, but it should go to hcs-discuss too.


----- Forwarded message from Gregory Price <gprice at hcs.harvard.edu> -----
Date: Mon, 6 Dec 2004 00:13:40 -0500
From: Gregory Price <gprice at hcs.harvard.edu>
To: manager at hcs.harvard.edu

So the Brazilian hackers are back, running IRC servers and other things as www.

The following are ways they might have come in since TWiki was patched last Sunday:

  - www-owned or twiki-owned processes we didn't kill

  - www-or-twiki owned-or-writable files that get run or affect
  processes that get run and that they touched

  - an exploit in some cgi that gets run as www -- which means any PHP script.

No others, I don't think, unless they got root, which we have no sign they did.

We're going to kill all twiki processes and replace the twiki
binaries, then restart twiki.  That'll be not too hard.

We've killed all www processes and restarted apache.  But any badly
written PHP script in some random group's web site -- and there are
enough of those -- could have an exploit that gives www.  To fix this,
we'll have to get PHP scripts running as their owner rather than as

This turns out to be more trouble than one would hope.  Googling, it looks like 
mod_php, which we run, can't run stuff as another user than apache runs as.

So -- who knows something about alternatives to mod_php?
What's the usual way to get php scripts run as their owners?


----- End forwarded message -----

More information about the hcs-discuss mailing list