No executables in /tmp

Matthew Frederico mfrederico at
Mon Apr 10 19:07:36 MDT 2006

On 3/27/06, Jeff Schroeder <jeff at> wrote:
> Bryan:
> The catalyst that began all this is some PHP apps installed on my
> servers (by web hosting customers) are vulnerable... phpBB is a
> particularly big offender.  There are well-known exploits that allow a
> file to be saved to /tmp and run via the Perl interpreter.  Rather than
> tell my customers to take a hike, I wanted to find a way to prevent the
> exploit (which is better security policy anyway).

Had the same problem with those pesky script kiddies.

run php in safe mode / without url fopen wrappers (which is the actual
issue), and  with open_basedir in effect.  Make the basedir the user home
dir and other php include dirs.  Apache will write to /tmp by itself for
sessions etc becaues it doesn't live by the rules of PHP.

It will cost you in a bit more admin work but save your neck from being
chopped at your provider.

Hackville Pop 2

-- Matthew Frederico
Cell: (518)365-9841
Office: (361)288-3331

More information about the PLUG mailing list