Apache2/mod_fcgid/PHP5 On Debian security issue

Discussion in 'Server Operation' started by mravunko, Sep 12, 2010.

  1. mravunko

    mravunko New Member

    I followed this tutorial:


    It is good that user web1 cannot read the files of web2 but web1 can read the whole filesystem. Is there an easy way to stop web1 walking through the whole filesystem? I think it is not a good idea that web1 can read all configuration options, passwd file and many more files.

    This simple code:
    $a = `cat /etc/passwd`;
    echo $a;
    reads the passwd file despite of setting the open_basedir = /var/www in the php.ini file.

    Thanks in advance,
  2. webcycler

    webcycler New Member

    mod_chroot ?

    He is right.
    Unless you switch on safe_mode in php.ini, one can read /etc/passwd this way.

    Wouldn't it be better to have mod_chroot in conjuction with mod_fcgid ?

    Will there be a howto?

Share This Page