[Mediawiki-l] LocalSettings.php - Security for MW on SourceForge
Brion Vibber
brion at pobox.com
Tue Dec 21 06:56:26 UTC 2004
On Dec 20, 2004, at 8:45 PM, gregwk wrote:
[snip]
> Is SourceForge somehow fundamentally different from the Mozilla and
> DreamHost servers?
That's correct.
Mozilla runs their own server, so doesn't have to worry about malicious
local users. (By the way, the page you were looking at is just a copy
of the documentation on meta.wikimedia.org.)
DreamHost runs PHP scripts through a CGI handler, so the effective user
ID of the script process can be that of the particular virtual host's
own account. Thus your own script can read files that other local users
and their scripts cannot read.
SourceForge runs PHP as an Apache module, with all users' scripts
running under a single user ID which is different from the user and
group IDs of the individual projects. It is impossible for your script
to read a file unless all scripts are given permission to read the
file.
For more information please see:
http://sourceforge.net/docman/display_doc.php?
docid=4297&group_id=1#security
http://sourceforge.net/docman/display_doc.php?
docid=14267&group_id=1#websharedreason
-- brion vibber (brion @ pobox.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.wikimedia.org/pipermail/mediawiki-l/attachments/20041220/d9ca0750/attachment.pgp
More information about the MediaWiki-l
mailing list