PHP scripts have ruid & euid of HTTPD!

Anon

Dear All:
How to close this security hole:
(step by step description)
1.User create their own PHP-based page;
2.This page executed by HTTPD and runs under httpd's ruid and euid.
3. This allow to php-script destroy any files on WWW, which was created/uploaded/modified by other httpd's process. For example any uploaded images, generated pages and so on...

As I mean it is a big trouble for multiusers Web servers.

Anon

The safest solution with Apache is to use PHP as a CGI module, because you can then use suEXEC to change the execution permissions on a per-owner basis. I'm sure there are similar solutions for other webservers out there.

If you <i>must</i> have PHP as an Apache module, you'll need to closely audit the PHP scripts. This could get time consuming, and it's not as solid as using a suEXEC-type mechanism.

HTH,