Support

masood_y · #1 04-23-2009, 06:40 AM

Do you have any idea for patch PHP suEXEC with "ln" command?

masood_y · #2 04-23-2009, 07:35 AM

PHP suEXEC is enale on my server.
But users can link to outside him directory with "ln" and seee other sites configuration files.
And its a big security issue.

mistwang · #3 04-23-2009, 08:14 AM

Everything follow Linux/Unix file system permission, there is no magic.
Maybe, you should prevent user from execute "ln" from PHP by tighten the grip on php.ini .

mistwang · #4 04-23-2009, 01:32 PM

try tuning

http://www.litespeedtech.com/docs/we...llowSymbolLink

use "If Owner Match"

masood_y · #5 04-23-2009, 01:39 PM

Problem not solved by doing above tuning.
Please check your private message for see bug details.

mistwang · #6 04-23-2009, 06:29 PM

Also need to set http://www.litespeedtech.com/docs/we...heckSymbolLink

to "Yes".

masood_y · #7 04-24-2009, 05:27 AM

Is not resolved too.

mistwang · #8 04-24-2009, 06:08 AM

There is no way to prevent the perl script from creating a symbolic link, unless you disable perl.
The best can be done is to block access to target file pointed to the symbolic link, above configuration changes does that.