Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:27498
Return-Path: <php_lists@realplain.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 51281 invoked by uid 1010); 17 Jan 2007 09:07:02 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 51266 invoked from network); 17 Jan 2007 09:07:02 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Jan 2007 09:07:02 -0000
Authentication-Results: pb1.pair.com header.from=php_lists@realplain.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=php_lists@realplain.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain realplain.com from 209.142.136.132 cause and error)
X-PHP-List-Original-Sender: php_lists@realplain.com
X-Host-Fingerprint: 209.142.136.132 msa2-mx.centurytel.net Linux 2.4/2.6
Received: from [209.142.136.132] ([209.142.136.132:51597] helo=msa2-mx.centurytel.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 70/E5-00949-437EDA54 for <internals@lists.php.net>; Wed, 17 Jan 2007 04:07:02 -0500
Received: from pc1 (d34-246.rt-bras.wnvl.centurytel.net [69.179.161.246])
	by msa2-mx.centurytel.net (8.13.6/8.13.6) with SMTP id l0H96sXI018536;
	Wed, 17 Jan 2007 03:06:54 -0600
Message-ID: <014f01c73a16$d69ea080$0201a8c0@pc1>
To: <internals@lists.php.net>, "Alain Williams" <addw@phcomp.co.uk>,
        "Arnold Daniels" <info@adaniels.nl>
References: <F1076B95-2D05-4690-AE84-21FC0552F17A@ch2o.info> <45A8FC49.7050909@hardened-php.net> <45A90809.3050008@lerdorf.com> <45A91002.8020607@hardened-php.net> <526994769.20070113181330@marcus-boerger.de> <Pine.LNX.4.64.0701141301180.32133@mail.zend.com> <45AA116F.7020109@hardened-php.net> <Pine.LNX.4.64.0701141436460.16363@mail.zend.com> <45AA961D.4090401@php.net> <45AD63A1.2040206@adaniels.nl> <20070117084600.GA19933@mint.phcomp.co.uk>
Date: Wed, 17 Jan 2007 03:06:55 -0600
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1807
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1896
Subject: Re: [PHP-DEV] Comments on PHP security
From: php_lists@realplain.com ("Matt Wilmas")

Hi Arnold, Alain,

----- Original Message -----
From: "Alain Williams"
Sent: Wednesday, January 17, 2007

> On Wed, Jan 17, 2007 at 12:45:37AM +0100, Arnold Daniels wrote:
> > Hi,
> > [...]
> > Last, I'm a software developer at a shared hosting company. To my
> > opinion, making sure that users don't touch other people's files, does
> > not belong in the PHP layer. With other apache modules you can do nasty
> > thing as well. We (not me) have written a kernel patch to allow
> > switching of the current processes (much like sudo) and a matching
> > apache module. Since the privileges only allow the user or group to
> > access the file, linux does the rest. An other solution is to start PHP
> > as cgi under the correct user, but other things will never be really
save.
>
> Care to share that with the world ?

Yeah, I was gonna ask about that, too. :-)  Sounds interesting!


Matt