httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chuck Pierce <ch...@onyxsys.net>
Subject Re: [users@httpd] Re: chrooted cgi-bin
Date Mon, 02 Dec 2002 19:22:50 GMT
The problem is not just for security (although it does help), but really for
dumb users.

I have setup like this:
  One directory contains all of the "home" directories for all of the virtual
hosts.  Each home directory contains three sub directories (web, cgi-bin, data).
The web folder is for the html/images, the cgi-bin is for their cgi scripts, and
the data directory is for any data files, templates, etc that any of the cgi
scripts might use.

I'm using proftpd to have users chrooted into "/path/to/website.com", so all
they see are the web, cgi, and data directories.  Because of this when they put
data files in their data directory, they are attempting to open /data/somefile
instead of /path/to/website.com/data/somefile (or even ../data/somefile).  If I
chroot the user they can open /data/somefile and it will work.

As for file space is concerned, I can setup a chroot_usr directory that I hard
link to the users home directory as usr.  So when they reference /usr/bin/perl it will
work (and I won't need a bunch of copies of perl).

Now, my question is this; how much overhead were you talking about for the chrooted
system calls?  I was under the assumption that it just took up more memory (to
exec another shell).

- Chuck

btw, sbox wasn't in freshmeat, but I did find it at
http://stein.cshl.org/~lstein/sbox/ (for those reading the thread).


On Mon, Dec 02, 2002 at 06:58:55PM +0100, Davide Giunchi wrote:
> 
> This is what i was searching before using apache in a real-world mass 
> VirtualHosting system.
> The direct answer to your question is: sbox, you can search for it on 
> freshmeat.net .
> I've used it, but to permit a little scripting to the users via a chrooted env 
> you must compile a little chrooted env that use ~ 20Mb for each VirtualHost 
> (libc6, bash, perl with some modules), so you will loose a lot of space.
> And then for php? woudn't you like to chroot php too? so you will need to 
> compile php too,  so other space is needed, minimum other 10Mb.
> Second sbox is a program of 1997, no other's upgrade since now, it works but 
> do you trust it for the future? i will use it only if i've a good C and 
> suexec.c internal knowledge.
> Last but not least every cgi-bin (or php) will need a chroot system call(), 
> and this is not a little ovevrhead on a big system.
> 
> So after little test i've found that i can grant a big security running wole 
> apache on a chroot, protect every user's documentroot with unix permission 
> and using suEXEC.
> In a chroot you can deny every users to look at /etc/passwd and other 
> important files, and with simple permission you can permit to every user to 
> look only at his document root and not other's users document, yes it can 
> surf on the filesystem but with a chroot you have little files so you can 
> control it quickly with unix permission.
> 
> Regards.
> 
> -- 
> Davide Giunchi.
> Membro del FoLUG (Forl? Linux User Group) - http://folug.linux.it
> GPG Key available on http://www.keyserver.net 
> Fingerprint: 4BFF 2682 6A58 ECFE 071B  A1A4 F2A3 9EFA 6494 81FD


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message