httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rod Roark" <...@sunsetsystems.com>
Subject Re: Virtual hosting: comments requested
Date Thu, 25 Oct 2001 23:56:09 GMT
Cliff Woolley said:
> On Thu, 25 Oct 2001, Rod Roark wrote:
>
>> I did come up with a possible solution.  However I'm not sure if it's complete
>> garbage, mildly useful, or really interesting.  That's why I'm posting here.
>>
>> Then, /opt/www/users looks like this:
>>
>>   drwx--x--x  root     root     .
>>   drwxrwx---  some     apache   somename_ThisIsASecret
>>   drwxrwx---  another  apache   anothername_ThisIsAnotherSecret
>>
>> You get the idea.  Nobody can list the contents of /opt/www/users, but users can
get
>> into their own directory if they know its name.
>
>
> This does of course restrict them when they're logged on to your machine as
> themselves... the real problem in all of this, though, is that their CGI scripts and
> PHP documents and so on all run as the apache user, and the apache user has rights to
> all of them, meaning that they all can get access to each others' files by simply
> telling the webserver to do it for them.

Um, how?  It's clear that all scripts will run as user apache,
but the whole point is that if you don't know the other user's
documentroot name then you can't formulate a malicious request.
Or is there an API that gives you this information?

> SuExec fixes this for CGI, but not for PHP
> and so on.  The real solution will come with Apache 2.0 as the "perchild MPM" which
> allows separate Apache child processes to run under different UIDs.  Each child only
> handles those requests that are for the virtual hosts assigned to it, and it hands
> off requests for other vhosts to the other children as necessary.  This is better
> than the approach of totally separate instances of httpd since, as you mention, in
> the totally separate scenario only one can be running on port 80 for a given IP
> address.

Very good news!

> --Cliff
>
> --------------------------------------------------------------
>   Cliff Woolley
>   cliffwoolley@yahoo.com
>   Charlottesville, VA

-- Rod




Mime
View raw message