[nycphp-talk] Can't do PHP 'exec' for an rsync command via web server
Daniel Convissor
danielc at analysisandsolutions.com
Mon Jun 25 13:14:16 EDT 2012
Hi David:
> It was very wise of Hans to also recommend to create
> /home/apache instead of using the default /var/www because a nasty user
> could have easily accessed the .ssh directory there and gotten the
> public/private keys, and the known hosts.
Well, they still do. Though the attacker would have to be able to
add/edit a script on your server, putting in code that reads the
files from the /home/apache dir.
--Dan
--
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
data intensive web and database programming
http://www.AnalysisAndSolutions.com/
4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335
More information about the talk
mailing list