httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vildan" <vil...@origincode.com>
Subject SV: [users@httpd] Setting access for users - Apache, Win32
Date Thu, 24 Jul 2003 01:06:25 GMT
hello,


I have tried with this:

 <Location /tmp>
   Order Deny,Allow
   Deny from all
 </Location>

and it worked. I couldn't execute a PHP script that creates a file in
"tmp" directory.

But when I tried:

<Location c:/WINNT>
   Order Deny,Allow
   Deny from all
 </Location>

and / or:

<Location "c:/Program Files">
   Order Deny,Allow
   Deny from all
</Location>

It didn't worked.

I have tried to replace location with directory and it didn't worked.

I am stuck.
Please Help!


Regards,

- Vildan


> 
> Try something like that:
> 
> <Location c:/>
> Order deny,allow
> Deny from all
> </Location>
> 
> <Location "c:/program files">
> Order deny,allow
> Deny from all
> </Location>
> 
> and so one where you want to block the access, but make sure 
> that the directory c:/www has the right permissions and it 
> does not inherited.
> 
> I'm not familier with permissions thru PHP or CGI, I know 
> Apache can do it, otherwise each and every hosting company 
> would have been in big time troubles.
> 
> All the best,
> Jeff Cohen
> Support@GEJ-IT.com
> Tel. (416) 917-2324
> www.GEJ-IT.com
> GEJ-IT Networks!
> 
> 

> > 
> > Users upload their files through the FTP.
> > 
> > But it's not either impossible for them to create 
> 'upload-script' with 
> > PHP or CGI and put in in their home, and execute it.
> > 
> > There is no protection against CGI scripts either. And yes, 
> they could 
> > execute anything.
> > 
> > suexec is a bit complicated process and need recompiling of 
> the Apache 
> > source.
> > 
> > Isn't there ant other way to stop users from executing/running 
> > scripts/binaries outside their 'home' directory ?
> > 
> > Here's an exmaple 
> (http://se2.php.net/manual/en/security.apache.php) 
> > of locking the scripts to their VirtualHost-DocumentRoot-dirctories:
> > 
> > ------------------------------------------------------
> > 
> > You can set open_basedir dynamically for every virtual host 
> you have, 
> > so every PHP script on a virtual host is jailed to its 
> document root.
> > 
> > Example:
> > <VirtualHost www.example.com>
> > ServerName www.example.com
> >  DocumentRoot /www-home/example.com
> > [...]
> >  <Location />
> >   php_admin_value open_basedir     \ "/www-
> > home/example.com/:/usr/lib/php/"
> > </Location>
> > </VirtualHost>
> > 
> > If you set safe_mode on, then the script can only use binaries in 
> > given directories (make a special dir only with the binaries your 
> > customers may use).
> > 
> > Now no user of a virtual host can read/write/modify the data of 
> > another user on your machine.
> > 
> > ------------------------------------------------------
> > 
> > Isn't there any similar directive for Apache to limit user to their 
> > 'home' directory ?
> > 
> > Is possible to use .htaccess here for limitation ?
> > 
> > 
> > regards,
> > 
> > - Vildan
> > 
> > 
> > > How does your users upload files to the server?
> > > You do not have any protection against CGI scripts 
> running on your 
> > > server, it's like having your clients running .exe files on the 
> > > system. What you can do is to add the users to the Windows 2000 
> > > itself and use suexec.
> > >
> > > All the best,
> > > Jeff Cohen
> > > Support@GEJ-IT.com
> > > Tel. (416) 917-2324
> > > www.GEJ-IT.com
> > > GEJ-IT Networks!
> > >
> > >
> > > > Hello,
> > > >
> > > >
> > > >
> > > > I run Apache 2.0.47 on Windows 2000 Server platform with PHP 
> > > > support.
> > > >
> > > > I have recently discovered that somebody created files outside 
> > > > their home directory and put them in root folder c:\
> > > >
> > > > My configuration is as follows:
> > > >
> > > > - Multiple websites are hosted on the web server using 
> virtual hosts
> > > >   and domain name based configuration (not ip-based).
> > > >
> > > > ...
> > > >
> > > > <Virtualhost website.com>
> > > > ServerAdmin webmaster@website.com
> > > > DocumentRoot c:\www\website\www
> > > > ServerName www.website.com
> > > > ErrorLog c:\www\website\log\error_log
> > > > TransferLog c:\www\website\log\access_log
> > > > </Virtualhost>
> > > >
> > > > <Virtualhost website2.com>
> > > > ServerAdmin webmaster@website2.com
> > > > DocumentRoot c:\www\website2\www
> > > > ServerName www.website2.com
> > > > ErrorLog c:\www\website2\log\error_log
> > > > TransferLog c:\www\website2\log\access_log
> > > > </Virtualhost>
> > > >
> > > > ...
> > > >
> > > > Those websites are stored in:
> > > >
> > > > c:\www <--- DocumentRoot "C:/www"
> > > >
> > > >
> > > > So each website has it's own 'home' as for virtual hosts above:
> > > >
> > > > c:\www\website\www
> > > >
> > > > c:\www\website2\www
> > > >
> > > >
> > > > Currently, if some user uploads a executable script 
> (PHP/CGI) into 
> > > > his home directory (e.g. c:\www\website2\www), he is 
> able e.g. to
> > > write
> > > > a file in c:\www\website\www or c:\ (root).
> > > >
> > > > 1.
> > > > How can I limit users and their executable scripts to be 
> > > > run/executed only in their own 'home' (e.g. c:\www\website\www) 
> > > > directory, and limit their access to their DocumentRoot only ?
> > > >
> > > >
> > > > Best Regards,
> > > >
> > > > - Vildan
> > > >
> > > >



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message