Re: [Jack-Devel] www.jackaudio.org defacement

Prev	Next Index
Date	Fri, 30 Dec 2011 14:52:43 -0800
From	Robert M. Riches Jr. <[hidden] at jacob21819 dot net>
To	[hidden] at linuxaudiosystems dot com, [hidden] at jrigg dot co dot uk
Cc	[hidden] at lists dot jackaudio dot org
In-Reply-To	Paul Davis Re: [Jack-Devel] www.jackaudio.org defacement
Follow-Up	Paul Davis Re: [Jack-Devel] www.jackaudio.org defacement

> Date: Fri, 30 Dec 2011 17:24:26 -0500
> From: Paul Davis <[hidden]>
> To: John Rigg <[hidden]>
> Cc: [hidden]
>
> for now, i've switched the user that the website "runs as", but made a
> different user the owner of all the files that comprise the website
> itself. in theory this should prevent web-vectored attacks from
> modifying any files. dreamhost does things slightly oddly AFAICT: i
> think the httpd server itself runs as "nobody" but any CGI scripts are
> executed as a specified user.


I might be mistaken, but doesn't the cgi or fast-cgi flavor of
php.ini control what user runs CGI scripts?

HTH

Robert

Prev	Next Index

1325285574.31816_0.ltw:2,a <20111230225243.1FE2826513 at one dot localnet>