[HCS-D]mod_php alternatives? (and tonight's work)

Philip Zeyliger philz at hcs.harvard.edu
Mon Dec 6 16:13:25 EST 2004


> Yeah, I saw what looked like such a thing in ~dunster.  I saw also on
> Google a how-to for what looked like setting up such a thing systemwide.

It's not just in Dunster, but yeah.

> I haven't looked carefully at this script; is it the sort of thing
> that'd leave us more secure than we started?

That script is more or less alright.  Well, I think so, anyway.

>  - A separate suexec just for PHP:
>     http://www.suphp.org/

I tried this once and it didn't work.  YMMV.  There were also Apache2 v Apache1 issues.

>     This is accurate. The solution is securing the system in other ways, 
>     including but not limited to ACLs, TPE, socket control, and chroot for 
>     the web server.
> Do you mean running apache as root, and then doing other things to
> maintain security?

He means running apache such that Apache can't see parts of the
directory tree. "chroot" is a syscall that let's you define what
"/" means.  There's also BSD jail(8) envinroments, which I know
nothing about.  I'd guess both of these would be moderately hard
to do in practice.


		-- Phil

-- 
                              (Note new e-mail)
      Philip Zeyliger :|: zeyliger at post.harvard.edu :|: Dunster '04
	``I figured that all out once, and for six months I never slept 
	  with the electric light off.  That was another bright idea.''
	                      -- Ernest Hemingway, _The Sun Also Rises_


More information about the hcs-discuss mailing list