PHPTOm writes:
> My question is this: is it
> normally ok to just copy a binary to a new location in linux or do I
> need to specify the target location during compile?

Normally, yes.  Usually, what is hard coded into a binary is the path to
config files.  PHP, for example, has a hard coded path to php.ini.  You can
place the binary anywhere you want, but it will always look for php.ini in
the same place.

Allowing the user to call external binaries is always risky.  Programs
designed to be run locally quite likely have exploitable security holes.
Make sure you do a security audit of everything first.  If you can find a
security hole with grep, so can your users.  It is probably better to use
the PHP pspell extension.

I strongly suggest not using safe mode for PHP.  While I haven't done an
audit, I imagine there is at least one hole.  Considering how easy it is to
crash the PHP interpreter (for example, infinite recursion), I doubt it's
totally secure.  And even if it is, just configuring it properly is
difficult.  Relying on safe mode means your setup isn't secure.

As the PHP manual says, and as anyone should realize, the proper way to
solve the problem is at the OS level.  CGI scripts, including PHP, need to
be run as the owner of the script.  This solves two major problems that
occur under the typical Apache / mod_php setup.

* Scripts cannot keep anything private.  If a script has to connect to the
database, the authentication info is stored in the script.  Because the
script is readable by the web server, any other user on the system can grab
the authentication info.  A friend of mine had his database on SourceForge
trashed because of this.

* Scripts cannot securely write to anything.  If a script needs to write a
file, then the file must be world writable, or at least writable by the web
server.  This means any other user on the system can write to the file.

-- 
David Phillips <david at acz.org>
http://david.acz.org/


_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list