Hi,
Richard Lynch wrote:
> I suspect that people who looked into doing this fall into two categories:
>
> Those who heeded the experts who told them "Don't do that" and didn't do
> it.
>
> Thoee who ignored the experts, went ahead and did it, and cobbled together
> enough band-aid security measu
Hi,
Jason Wong wrote:
> To put it simply you would have to check *extremely* carefully the user
> input to ensure that it is not malicious, and that it is what it should
> be. I believe your original problem was about writing procmail files.
No, not exactly.
Thank you just the same, you bring up
> Quite true. However, warnings about "don't do this or that", "an
> attacker may use this" and so on are numerous, but advice on what to do
> about it is rarer. And this thing with system calls is a good example:
> I can find many warnings about not doing it, but not a single piece of
> advice abo
On Thursday 10 February 2005 11:58, Niels wrote:
> Richard Lynch wrote:
> > Perhaps the reason there is no article or tutorial is that it would
> > be a book, not an article or tutorial :-)
> >
> > There are so MANY affected/related software system pieces that you
> > can't do it justice in an arti
Richard Lynch wrote:
> Perhaps the reason there is no article or tutorial is that it would be a
> book, not an article or tutorial :-)
>
> There are so MANY affected/related software system pieces that you can't
> do it justice in an article or tutorial, I suspect.
Quite true. However, warnings a
Niels wrote:
> Richard Lynch wrote:
> One of the things I've asked for is articles and tutorials, but there
> apparently aren't any on this subject. I can find many on validating user
> input, securing sessions and that kind of thing. But not this, no "howto
> make php run useradd safely". I've see
Hi!
Richard Lynch wrote:
>Don't take the wrong but you're probably not really skilled enough (yet)
>to do what you want to do...
You're right, but we all have to start somewhere. And I don't take the
wrong, I appreciate your answer.
>sudo is probably the best solution,
Well, it's the only one t
Niels wrote:
> Jennifer Goodie wrote:
>
>> Should web applications have access to areas on the file system that the
>> apache user doesn't? I personally only allow my web applications access
>> to certain areas on purpose and set my permissions to accomplish this.
>> If
>> I need to be a user othe
On Wed, 09 Feb 2005 05:42:21 +0100, Niels <[EMAIL PROTECTED]> wrote:
> So my question is: Is sudo the best solution?
It all comes down to the fact that to do certain tasks you require
elevated permissions above and beyond what your web server user has as
it runs the web server. There are many opt
Jennifer Goodie wrote:
> Should web applications have access to areas on the file system that the
> apache user doesn't? I personally only allow my web applications access
> to certain areas on purpose and set my permissions to accomplish this. If
> I need to be a user other than nobody to do so
-- Original message --
From: Niels <[EMAIL PROTECTED]>
> Jennifer Goodie wrote:
>
> > I wouldn't use system calls to move files around. PHP has built in file
> > system functions. Why shell out to do something that is built in?
>
> Well, the apache user really s
Guillermo Rauch wrote:
> This article may help:
> http://www.onlamp.com/pub/a/php/2003/08/28/php_foundations.html
Thanks you, I've read that, it deals with avoiding malicious code in file
uploads. I think I've got that part under control. You're right, such
methods are obvious entry points to a s
Jennifer Goodie wrote:
> I wouldn't use system calls to move files around. PHP has built in file
> system functions. Why shell out to do something that is built in?
Well, the apache user really shouldn't have access to the entire file system
-- that's the problem.
Thanks,
Niels
--
PHP Gener
This article may help:
http://www.onlamp.com/pub/a/php/2003/08/28/php_foundations.html
On Tue, 08 Feb 2005 20:38:48 +, Jennifer Goodie <[EMAIL PROTECTED]> wrote:
> -- Original message --
> From: Niels <[EMAIL PROTECTED]>
> > Hi list,
> >
> > I'm doing an intr
-- Original message --
From: Niels <[EMAIL PROTECTED]>
> Hi list,
>
> I'm doing an intranet website for managing users. I need to be able to
> change passwords, move files and folders around and that kind of thing.
> What is the best way?
>
I wouldn't use system
Greg Donald wrote:
> sudo can assist you with this task.
Thank you for your answer. Can you be more specific? Is sudo the best way to
go? What are the pros and cons? Should I wrap my system calls in a C
program or a bash script? Do you know of any websites with articles or
tutorials about this?
On Tue, 08 Feb 2005 03:14:43 +0100, Niels <[EMAIL PROTECTED]> wrote:
> I'm doing an intranet website for managing users. I need to be able to
> change passwords, move files and folders around and that kind of thing.
> What is the best way?
sudo can assist you with this task.
--
Greg Donald
Zend
17 matches
Mail list logo
