httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Harr <ja...@grickle.org>
Subject Re: Limit a user's CGI in his/her directory
Date Mon, 18 Mar 2002 21:53:36 GMT
Richard,

So set up permissions correctly and tell users to secure their directories (IE make suexec
files exec-only for 'others').. It's the best way to do it. Keep it real. chrooting may work,
but it may confuse some out-of-the-box cgi scripts that use perl modules.

Sorry, but that is all I have to offer you.

Later,
James

On Tue, 19 Mar 2002 3:2:38 +1000
"Richard" <guyuan@telpacific.com.au> wrote:

> Dear James
> 
> The CGI I mentioned in my question is PERL.
> I have a few virtual sites in my server. There is a security risk
> that these users are able to open files that are not in his/her
> directory by using PERL scripts.
> 
> Now, I just made it work that the user can not open a file out
> of his/her directory with PHP by adding php_admin_value open_basedir 'directory'
> into apache configuration file.
> 
> I want to implement the same limitation with PERL.
> Also, I want to block some functions in PERL, such as system().
> 
> Is there any suggestion? Thank you.
> 
> 
> >Hi Richard,
> >
> >CGI in itself really isn't a language or an executable at all, it is an
> >interface between the program that handles the request (perl script, php,
> >binary), the webserver, and the web browser. Now you really can't put a
> >limit on the binaries and what-not because it would essentially require a
> >rewrite of parts of the kernel, or running a virtual machine, either way
> >would be less than satisfactory. If you are talking about mod_perl, I'm not
> >sure...
> >
> >The best way to set things up securely is to:
> >1) Don't use any 'mod_'s for cgi.
> >   a) Perl runs relatively fast on unix systems
> >   b) PHP has a fastcgi mode built in (enabled at compile time).
> >      i) You will have to throw php in each user's cgi-bin (2.4mb or so)
> >      ii) Setup an AddHandler and Action in php for it
> >   c) Use suexec with ssi, fastcgi-php, runs everything as the owner of the
> >file.
> >2) Use your system file permissions, this are the fastest, securest, and
> >has the least bugs of anything that I know.
> >
> >Let me know if I missed anything.
> >
> >Later,
> >James Harr
> >
> >> I am trying to work out how to limit a user's CGI
> >> in a directory.
> >>
> >> I have apache 1.3.23 on my FreeBSD4.4 machine. I
> >> created a few virtual hosts. To improve the security,
> >> I want to limit the users's CGI only in his/her
> >> directory, which means he/she can not open a file
> >> out of his/her directory. I've done this in PHP
> >> with php_admin_value open_basedir 'directory',
> >> But I am wondering how to implement in CGI.
> >> I saw some webhosting companies are like this,
> >> which are using apache as well, so I am pretty
> >> sure this is possible.
> >>
> >> Also, is it possible disallow user to use system()
> >> function in CGI?
> >>
> >> Anyone who can help me will be very appreciated.
> >
> >
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message