mod_php: Not enough security

Hello,

I've asked around a few other places about this, and nobody seems to have a suitable answer. I decided to ask here, because there's a larger number of people who administrate multi-user systems here.

My problem is this: Even with safe_mode and restrict_basedir on, mod_php does not provide me with nearly enough security to run a 2000 user system. The number one issue is the lack of suexec permissions. As a result, users are able to (and have) place(d) scripts, mainly IRC bots and telnet daemons, in /tmp/ and execute them as the user "apache". With the sheer number of people using this system, parsing logs for the user(s) who is/are doing this is almost impossible. I would like to know how to go about:

1. Making all files created by mod_php owned by the user
2. Remove the ability to spawn processes by the "apache" user from within mod_php.

mod_php 4.3.6_rc2, Apache 1.3.33, kernel 2.4.27-pre6, Gentoo Linux.

Thanks In Advance,

--FlatFace

 

 

 

 

Top