httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Grace" <rub...@earthlink.net>
Subject Re: Protect directory
Date Thu, 21 Feb 2002 23:43:42 GMT
>From: "Paul Stephenson" <PStephenson@ficgroup.com>
>To: <users@httpd.apache.org>
>Sent: Thursday, February 21, 2002 12:16 PM
>Subject: RE: Protect directory
>
>
>If this is done on a linux or unix platform here is how I did it, and
>everyone can tell me if it is not secure.
>
>I run the apache as user=www and group=webgroup, therefore if I make
>every user that will be hosting pages, I can set the UID of the the
>person's folder to their UID, and I set the user's GID in the
>/etc/passwd file to 'webgroup', and then I do a chmod -R o-x on the
>user's directory.
>
>So in summary here is what you have:
>
>drwxr-x--- This means that only the folders user can read, write, and
>execute, but the group that is running apache has permission to read
>and execute.  What this means is that multiple people can log onto
>your ftp site, see that there are other sites around, but they can't
>even do an 'ls' on any of the directories (except for the one they
>own).

This is safe if you're dealing with plain HTML, but if you have sort of
dynamic page generation (CGI, PHP, PERL) there is a MAJOR flaw in this
security setup and no easy way to fix it (unless you're willing to use
suEXEC).

Without suEXEC (or Apache 2.0's horribly broken perchild handler which won't
even compile in beta 3, though it would be be the better approach if it
works), all of your users' scripts will run as the webserver process. This
means they have write access to anything that Apache does. It also means
that, since Apache can read all the web directories, so could the scripts
the users write.

For example, say one user has a script that accesses a database. It contains
the database username and password somewhere within that page so the
connection can be made. It would be trivial for another user to gain access
to the source for that script and thus obtain the username/password.

-- Daniel Grace




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message