[HCS-D]mod_php alternatives? (and tonight's work)
philz at hcs.harvard.edu
Mon Dec 6 16:13:25 EST 2004
> Yeah, I saw what looked like such a thing in ~dunster. I saw also on
> Google a how-to for what looked like setting up such a thing systemwide.
It's not just in Dunster, but yeah.
> I haven't looked carefully at this script; is it the sort of thing
> that'd leave us more secure than we started?
That script is more or less alright. Well, I think so, anyway.
> - A separate suexec just for PHP:
I tried this once and it didn't work. YMMV. There were also Apache2 v Apache1 issues.
> This is accurate. The solution is securing the system in other ways,
> including but not limited to ACLs, TPE, socket control, and chroot for
> the web server.
> Do you mean running apache as root, and then doing other things to
> maintain security?
He means running apache such that Apache can't see parts of the
directory tree. "chroot" is a syscall that let's you define what
"/" means. There's also BSD jail(8) envinroments, which I know
nothing about. I'd guess both of these would be moderately hard
to do in practice.
(Note new e-mail)
Philip Zeyliger :|: zeyliger at post.harvard.edu :|: Dunster '04
``I figured that all out once, and for six months I never slept
with the electric light off. That was another bright idea.''
-- Ernest Hemingway, _The Sun Also Rises_
More information about the hcs-discuss