httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "RuneImp" <r...@imptech.net>
Subject Re: Protect directory
Date Fri, 22 Feb 2002 04:42:28 GMT
What I do is set the VirtualHost directories permissions
to 770 drwxrwx--- and set www (Apache) as the user for
those directories & make the group the domain name. Then
each person who needs access to that site gets added to
the domain name group.

That way only Apache & the appropriate users of the
domain have access to the website files. Anyone else in
another group can't see the files on the server except
through the Internet as appropriate.

There is probably some major flaw in this that I'm
overlooking but I haven't found it yet.


-=- RuneImp
ImpTech - Web Design, Hosting & Computer Tech
http://imptech.net
rune@imptech.net

 
----- Original Message ----- 
From: "Daniel Grace" <rubein@earthlink.net>
To: <users@httpd.apache.org>
Sent: Thursday, February 21, 2002 3:43 PM
Subject: Re: Protect directory


>From: "Paul Stephenson" <PStephenson@ficgroup.com>
>To: <users@httpd.apache.org>
>Sent: Thursday, February 21, 2002 12:16 PM
>Subject: RE: Protect directory
>
>
>If this is done on a linux or unix platform here is how I did it, and
>everyone can tell me if it is not secure.
>
>I run the apache as user=www and group=webgroup, therefore if I make
>every user that will be hosting pages, I can set the UID of the the
>person's folder to their UID, and I set the user's GID in the
>/etc/passwd file to 'webgroup', and then I do a chmod -R o-x on the
>user's directory.
>
>So in summary here is what you have:
>
>drwxr-x--- This means that only the folders user can read, write, and
>execute, but the group that is running apache has permission to read
>and execute.  What this means is that multiple people can log onto
>your ftp site, see that there are other sites around, but they can't
>even do an 'ls' on any of the directories (except for the one they
>own).

This is safe if you're dealing with plain HTML, but if you have sort of
dynamic page generation (CGI, PHP, PERL) there is a MAJOR flaw in this
security setup and no easy way to fix it (unless you're willing to use
suEXEC).

Without suEXEC (or Apache 2.0's horribly broken perchild handler which won't
even compile in beta 3, though it would be be the better approach if it
works), all of your users' scripts will run as the webserver process. This
means they have write access to anything that Apache does. It also means
that, since Apache can read all the web directories, so could the scripts
the users write.

For example, say one user has a script that accesses a database. It contains
the database username and password somewhere within that page so the
connection can be made. It would be trivial for another user to gain access
to the source for that script and thus obtain the username/password.

-- Daniel Grace


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message