[Nottingham] suPHP
Martin
martin at ml1.co.uk
Sat Jul 24 18:35:54 UTC 2010
On 24/07/10 18:22, Frederic Vagner wrote:
> Hello,
>
> Yes, I use it sometimes, it is quite good as it runs your scripts with
> your user instead of the user apache, no downside so far except you have
> to change all the settings of the websites used to work with apache.
I was thinking of using:
AddHandler su-php-script .php
to avoid having to change any scripts anywhere.
> Also, you have to make sure that your websites are securely setup and
> that there is no bug in your PHP scripts, as someone could harm your
> website if he got to execute a PHP script in it. For that reason, it is
> usually better to run a php script with apache as it would usually not
> allow a hacker to create a file or modify it if you files use the
> correct permissions (644).
Rather than using the apache or any real users, I was thinking of
setting up nologin user accounts for suPHP instances to use specific to
each website being vhosted by apache. The hope there is that if one site
gets hacked, a second site under a different user id will be kept
untainted...
The real question is whether running the php scripts under a user
different from apache will keep apache from being hacked via dubious php?...
Or is it better just to have all the web files under a completely
different user and set 644 so that apache can't modify them?
This is for a test of Wordpress... Does it change it's web files or are
changes only made to the database?
Cheers,
Martin
--
----------------
Martin Lomas
martin at ml1.co.uk
----------------
More information about the Nottingham
mailing list