[BlueOnyx:09016] Re: Roundcube and suPHP
Michael Stauber
mstauber at blueonyx.it
Fri Nov 11 05:58:01 -05 2011
Hi Steven,
> It's all a bit hacky, Michael may be able to give a better solution....
Yeah, that is indeed a *very* hacky. In fact I would *strongly* suggest NOT to
set min_uid=0 and min_gid=0 in suphp.conf
Reason: This defeats the purpose of using suPHP and could allow someone to
elevate his privileges through PHP scripts. Imagine what happens if there is a
root owned php script in the webspace of said site (no telling how it got
there). With which UID will suPHP run it then now that all stops are pulled?
;-)
So please don't do that.
Indeed: suPHP doesn't play nice with a couple of things such as web aliases,
which point to PHP applications outside of the web tree. Such as phpMyAdmin,
RoundCube, Squirrelmail or whatever else.
Sadly: I haven't found a good work around for this yet. Other than to have one
site w/o suPHP enabled and pointing RoundCube users to that URL over there
instead.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list