PHP4 as Module / MimeType

Anon

I have a security problem that I have came across that I need help with. Our main webserver runs as user 'nobody' and has PHP4 loaded as a module into Apache. I require all my users to run their PHP scripts as .cgi using the #!/usr/local/bin/php4 on their first line so that the script runs as the user for security reasons.

I noticed that if one of my users creates a .htaccess file and sticks in the directive AddType application/x-httpd-php .php in their directory and name their file .php it will run the PHP4 file as the webserver and not require the script to run as the user.

Is there a way around this? How can i offer users to run .php files on my server but have it go thru suexec and run as the user and not the webserver?

Is there a way to get it so that they can't add do an AddType in the .htaccess file and me still offer AllowOverride FileInfo?

Any help would greatly be appreciated.

Devin

Anon

I have found the fix to my problem. If you use a <file> directive within the <directory> directive you can force the .php file to run as CGI no matter what the user sticks in the .htaccess file.

example:

<Directory "/home///public_html">
<Files ~ ".(php|php3|php4)$">
AddHandler cgi-script .php .php3 .php4
</Files>
options indexes followsymlinks MultiViews Includes ExecCGI
AllowOverride AuthConfig FileInfo Limit
</Directory>