httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Cohen" <supp...@gej-it.com>
Subject RE: [users@httpd] Setting access for users - Apache, Win32
Date Thu, 24 Jul 2003 02:06:45 GMT
Location is not good for us in this case, try doing something else, run
apache's service as a new user, let's call it apache_user in this scenario.
In order to run apache as apache_user, you have to first create that user in
your system, and then after created go to the services and double-click on
the apache2 service, go to the log-on tab and browse for the available users
list, choose the apche_user you created, and type its password, when you
press OK you should get a message that "the user apache_user has granted to
'logon as a service' in the system" - then restart the service.
Now - the permissions part, right-click on drive C:\ and choose properties
-> security tab.
Now, add the user "apache_user" and deny its access. - yes! Deny it!
After denying, go to the apache home dir and right-click and properties
again, make sure you BLOCK inheritent permissions from parent folder, and
give this user "change" permissions, do the same thing on the c:\www folder
that you have.
That would deny that user from doing ANYthing in your system except running
the service and "changing" these folders contects.

That's a VERY strict permissions solution if its that urgent for you.

All the best,
Jeff Cohen
Support@GEJ-IT.com
Tel. (416) 917-2324
www.GEJ-IT.com
GEJ-IT Networks!



> -----Original Message-----
> From: Vildan [mailto:vildan@origincode.com]
> Sent: Wednesday, July 23, 2003 9:06 PM
> To: users@httpd.apache.org
> Subject: SV: [users@httpd] Setting access for users - Apache, Win32
> 
> hello,
> 
> 
> I have tried with this:
> 
>  <Location /tmp>
>    Order Deny,Allow
>    Deny from all
>  </Location>
> 
> and it worked. I couldn't execute a PHP script that creates a file in
> "tmp" directory.
> 
> But when I tried:
> 
> <Location c:/WINNT>
>    Order Deny,Allow
>    Deny from all
>  </Location>
> 
> and / or:
> 
> <Location "c:/Program Files">
>    Order Deny,Allow
>    Deny from all
> </Location>
> 
> It didn't worked.
> 
> I have tried to replace location with directory and it didn't worked.
> 
> I am stuck.
> Please Help!
> 
> 
> Regards,
> 
> - Vildan
> 
> 
> >
> > Try something like that:
> >
> > <Location c:/>
> > Order deny,allow
> > Deny from all
> > </Location>
> >
> > <Location "c:/program files">
> > Order deny,allow
> > Deny from all
> > </Location>
> >
> > and so one where you want to block the access, but make sure
> > that the directory c:/www has the right permissions and it
> > does not inherited.
> >
> > I'm not familier with permissions thru PHP or CGI, I know
> > Apache can do it, otherwise each and every hosting company
> > would have been in big time troubles.
> >
> > All the best,
> > Jeff Cohen
> > Support@GEJ-IT.com
> > Tel. (416) 917-2324
> > www.GEJ-IT.com
> > GEJ-IT Networks!
> >
> >
> 
> > >
> > > Users upload their files through the FTP.
> > >
> > > But it's not either impossible for them to create
> > 'upload-script' with
> > > PHP or CGI and put in in their home, and execute it.
> > >
> > > There is no protection against CGI scripts either. And yes,
> > they could
> > > execute anything.
> > >
> > > suexec is a bit complicated process and need recompiling of
> > the Apache
> > > source.
> > >
> > > Isn't there ant other way to stop users from executing/running
> > > scripts/binaries outside their 'home' directory ?
> > >
> > > Here's an exmaple
> > (http://se2.php.net/manual/en/security.apache.php)
> > > of locking the scripts to their VirtualHost-DocumentRoot-dirctories:
> > >
> > > ------------------------------------------------------
> > >
> > > You can set open_basedir dynamically for every virtual host
> > you have,
> > > so every PHP script on a virtual host is jailed to its
> > document root.
> > >
> > > Example:
> > > <VirtualHost www.example.com>
> > > ServerName www.example.com
> > >  DocumentRoot /www-home/example.com
> > > [...]
> > >  <Location />
> > >   php_admin_value open_basedir     \ "/www-
> > > home/example.com/:/usr/lib/php/"
> > > </Location>
> > > </VirtualHost>
> > >
> > > If you set safe_mode on, then the script can only use binaries in
> > > given directories (make a special dir only with the binaries your
> > > customers may use).
> > >
> > > Now no user of a virtual host can read/write/modify the data of
> > > another user on your machine.
> > >
> > > ------------------------------------------------------
> > >
> > > Isn't there any similar directive for Apache to limit user to their
> > > 'home' directory ?
> > >
> > > Is possible to use .htaccess here for limitation ?
> > >
> > >
> > > regards,
> > >
> > > - Vildan
> > >
> > >
> > > > How does your users upload files to the server?
> > > > You do not have any protection against CGI scripts
> > running on your
> > > > server, it's like having your clients running .exe files on the
> > > > system. What you can do is to add the users to the Windows 2000
> > > > itself and use suexec.
> > > >
> > > > All the best,
> > > > Jeff Cohen
> > > > Support@GEJ-IT.com
> > > > Tel. (416) 917-2324
> > > > www.GEJ-IT.com
> > > > GEJ-IT Networks!
> > > >
> > > >
> > > > > Hello,
> > > > >
> > > > >
> > > > >
> > > > > I run Apache 2.0.47 on Windows 2000 Server platform with PHP
> > > > > support.
> > > > >
> > > > > I have recently discovered that somebody created files outside
> > > > > their home directory and put them in root folder c:\
> > > > >
> > > > > My configuration is as follows:
> > > > >
> > > > > - Multiple websites are hosted on the web server using
> > virtual hosts
> > > > >   and domain name based configuration (not ip-based).
> > > > >
> > > > > ...
> > > > >
> > > > > <Virtualhost website.com>
> > > > > ServerAdmin webmaster@website.com
> > > > > DocumentRoot c:\www\website\www
> > > > > ServerName www.website.com
> > > > > ErrorLog c:\www\website\log\error_log
> > > > > TransferLog c:\www\website\log\access_log
> > > > > </Virtualhost>
> > > > >
> > > > > <Virtualhost website2.com>
> > > > > ServerAdmin webmaster@website2.com
> > > > > DocumentRoot c:\www\website2\www
> > > > > ServerName www.website2.com
> > > > > ErrorLog c:\www\website2\log\error_log
> > > > > TransferLog c:\www\website2\log\access_log
> > > > > </Virtualhost>
> > > > >
> > > > > ...
> > > > >
> > > > > Those websites are stored in:
> > > > >
> > > > > c:\www <--- DocumentRoot "C:/www"
> > > > >
> > > > >
> > > > > So each website has it's own 'home' as for virtual hosts above:
> > > > >
> > > > > c:\www\website\www
> > > > >
> > > > > c:\www\website2\www
> > > > >
> > > > >
> > > > > Currently, if some user uploads a executable script
> > (PHP/CGI) into
> > > > > his home directory (e.g. c:\www\website2\www), he is
> > able e.g. to
> > > > write
> > > > > a file in c:\www\website\www or c:\ (root).
> > > > >
> > > > > 1.
> > > > > How can I limit users and their executable scripts to be
> > > > > run/executed only in their own 'home' (e.g. c:\www\website\www)
> > > > > directory, and limit their access to their DocumentRoot only ?
> > > > >
> > > > >
> > > > > Best Regards,
> > > > >
> > > > > - Vildan
> > > > >
> > > > >
> 
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message