[webapps] PHP files owner
Tomasz Pala
gotar at polanet.pl
Sun Jun 3 13:59:04 CEST 2007
Hello,
I was considering a bug in any of shipped webapps. Even though the
server can be safe_mode enabled there is possibility to read
information that should remain confidential, like valuable for spammers
users list from passwd. I leave other restrictions out deliberately, as
ACLs, open_basedir etc. are not part of our default policy.
Currently system-wide package creates bigger threat than any user
script, no matter how the environment IS secured (safe_mode, suexec PHP
as CGI etc.).
Shouldn't we change default root:root owner to some webapps:webapps?
--
Tom Pala <gotar at pld-linux.org> http://vfmg.sourceforge.net/
http://tccs.sourceforge.net/
More information about the pld-devel-en
mailing list