As a security measure, I'd like .php files to only execute on my web
site if they're owned by a certain user. (Linux server). Can I do
that?
site if they're owned by a certain user. (Linux server). Can I do
that?
-
-
Re: Limit php to one user?
mrbog wrote:
[color=blue]
> As a security measure, I'd like .php files to only execute on my web
> site if they're owned by a certain user. (Linux server). Can I do
> that?[/color]
You can with Apache and virtualhosts. I don't know about IIS or others.
Instead of having
AddType application/x-httpd-php .php
in a global scope you just put it into the appropriate virtual hosts.
Note however that if you allow .htaccess files they can put this into
an .htaccess file and can then use PHP. If you don't allow .htaccess files
then this isn't a problem.
--
Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/
-
Re: Limit php to one user?
I do mean apache, but I meant only one user on the server. As in a
unix user, like a shell account.
So, if the php file is owned by user joe, then it will execute on the
site, if not, then it won't. This way, if someone manages to upload a
php file to my site, it won't execute because it will be owned by the
"nobody" user.
Chris Hope <blackhole@elec trictoolbox.com > wrote in message news:<108786383 0_64673@216.128 .74.129>...[color=blue]
> mrbog wrote:
>[color=green]
> > As a security measure, I'd like .php files to only execute on my web
> > site if they're owned by a certain user. (Linux server). Can[/color]
> I do[color=green]
> > that?[/color]
>
> You can with Apache and virtualhosts. I don't know about IIS or others.
>
>
> Instead of having
> AddType application/x-httpd-php .php
> in a global scope you just put it into the appropriate virtual hosts.
>
>
> Note however that if you allow .htaccess files they can put this into
> an .htaccess file and can then use PHP. If you don't allow .htaccess fi
> les
> then this isn't a problem.[/color]
Comment
-
Re: Limit php to one user?
mrbog wrote:
[color=blue]
> I do mean apache, but I meant only one user on the server. As in a
> unix user, like a shell account.
>
> So, if the php file is owned by user joe, then it will execute on the
> site, if not, then it won't. This way, if someone manages to upload a
> php file to my site, it won't execute because it will be owned by the
> "nobody" user.
>
>
> Chris Hope <blackhole@elec trictoolbox.com > wrote in message news:<108786383 0_64673@216.128 .74.129>...
>[color=green]
>>mrbog wrote:
>>
>>[color=darkred]
>>>As a security measure, I'd like .php files to only execute on my web
>>>site if they're owned by a certain user. (Linux server). Can[/color]
>>
>> I do
>>[color=darkred]
>>>that?[/color]
>>
>>You can with Apache and virtualhosts. I don't know about IIS or others.
>>
>>
>>Instead of having
>> AddType application/x-httpd-php .php
>>in a global scope you just put it into the appropriate virtual hosts.
>>
>>
>>Note however that if you allow .htaccess files they can put this into
>>an .htaccess file and can then use PHP. If you don't allow .htaccess fi
>>les
>>then this isn't a problem.[/color][/color]
I can do this with PHP on OpenVMS. I can set an ACL that only allows
the user that runs the web server to have access to it..., I don't use
any file-upload scripts either, but then again, I don't worry about
someone hacking my system cuz it can't be done... many have tried and
failed. This is what you get when you use a "real" operating system,
not the Swiss-cheese-for-security variety (*n*x, W{any version}).
Michael Austin.
Comment
Comment