I made an account for a user, this is based on a restrictive server template where the user can not edit php and such
this user was able to rewrite the etc folder and create a new one with his own php.ini
this is what he said:
"the file was root root 733
rename the etc folder (which you have rights to do) , then create a new one that you own , and you can create the new directory structure / php.ini that you are then the owner of
the only solution I could think of to easilly correct the situation . (as the user NEEDS rights to exec / read these files ) would be to set an immutable flag on the php.ini , and the php5.fcgi file"
if the wrapper scripts run as root when creating an account, then the additional lines could be entered in the "default server template"?
Can I add this
[code]
find -name php.ini | awk {'print "chattr +i "$1'} |sh cd /home ; find -name php5.fcgi | awk {'print "chattr +i "$1'} |sh
[/code]
into the fcgi wrapper to prevent users from exploiting this permission deficiency ?
thank you