|
|
Posted by shimmyshack on 06/21/07 16:55
On Jun 21, 4:19 pm, damezumari <jannordgr...@gmail.com> wrote:
> Anonymous:
> Thanks for the tips on the extra space. You were right.
>
> shimmyshack:
> 1. I did as you suggested in Control Panel and edit the system
> variable Path to include the folder where mysqldump.exe sits. Then I
> could replace "..\..\mysql\bin\mysqldump..." with "mysqldump...".
>
> 2. " It does sound though like you have your apache being run as
> SYSTEM -
> and so it is able to range throughout the filesystem, you might
> consider locking that down a bit (if you are running xp pro) but
> creating and apache user."
> How do I create an apache user?
>
> 3. I created a backup user like you suggested and it worked fine!
>
> Thank you for your help!
>
> Regards,
>
> Jan Nordgreen
if you have windows xp PRO, you can goto "my computer" (or explorer)
tools->folder options->view->uncheck "use simple file sharing
(recommended)"
now you will have more config options to create users.
start->run->compmgmt.msc->local users and groups->users
(right click users on left) -> new user
username:apache
full name: apache user
description: this is the user apache uses
set some strong password
[] user must change password at next logon
[x] user cannot change password
[x] password never expires
[] account is disabled
ok it
double click your new apache user, member of tab
get rid of everything, so it is a member of nothing.
now you have your apache user, find the folders which you would like
apache to be able to access
each one - think where your config files are, the exes, the tmp
folder, the doc root, everything that apache needs to function, if you
run php as a module then include where php is.
You might find that all this is covered by something like
c:\xampp\
because everything lives under there, otherwise you will have to do
each manually, these days your config should not be in c:\windows or c:
\windows\system32 if it is move it out of there and next to the apache
executable or somewhere less "important"
right click that folder and select
protperites->security tab
add->advanced->find
find your apache user, click on it and say ok, and ok it again
once you have your apache user added, you will need to set its rights
useing the checkboxes.
the apache user will need write access to some parts but read only on
others, think carefully and make your decisions.
now that you have everything set up goto
start->run->services.msc
double click the apache service (I am assuming you have apache running
aas a service)
logo on tab
under "this account" type the user "apache" and its strong password,
apply, and ok the warning, restart the service
apache will start if it has enough rights to do so.
Now if php is running as a module, write a short script that tries to
read files from outside the folders for which apache has permission.
It shouldnt be able to.
Same goes for write permissions.
try to start a session with php, it will use the tmp directory and you
should check it can read/write to the session files.
If everything is ok, you now have a more secure setup.
hope it helps.
Navigation:
[Reply to this message]
|