Return-Path: Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 26704 invoked by uid 500); 24 Jul 2003 02:07:07 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 26687 invoked from network); 24 Jul 2003 02:07:06 -0000 Received: from sabre.velocet.net (216.138.209.205) by daedalus.apache.org with SMTP; 24 Jul 2003 02:07:06 -0000 Received: from mail.gej-it.com (gej-it.com [216.138.220.213]) by sabre.velocet.net (Postfix) with ESMTP id 3CE6A138E8A for ; Wed, 23 Jul 2003 22:07:09 -0400 (EDT) Received: from jeff ([10.10.0.3]) by gej-it.com (gej-it.com [216.138.220.213]) (MDaemon.PRO.v6.8.4.R) with ESMTP id 63-md50000000014.tmp for ; Wed, 23 Jul 2003 22:06:15 -0400 From: "Jeff Cohen" To: Date: Wed, 23 Jul 2003 22:06:45 -0400 Message-ID: <000001c35188$3bd39530$03000a0a@gejit.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 Importance: Normal In-Reply-To: <000901c3517f$d2609fb0$4567b5d4@connetis5> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Spam-Processed: gej-it.com, Wed, 23 Jul 2003 22:06:15 -0400 (not processed: message from valid local sender) X-Lookup-Warning: HELO/EHLO lookup on jeff does not match 10.10.0.3 X-MDRemoteIP: 10.10.0.3 X-Return-Path: support@gej-it.com X-MDaemon-Deliver-To: users@httpd.apache.org X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: RE: [users@httpd] Setting access for users - Apache, Win32 Location is not good for us in this case, try doing something else, run apache's service as a new user, let's call it apache_user in this = scenario. In order to run apache as apache_user, you have to first create that = user in your system, and then after created go to the services and double-click = on the apache2 service, go to the log-on tab and browse for the available = users list, choose the apche_user you created, and type its password, when you press OK you should get a message that "the user apache_user has granted = to 'logon as a service' in the system" - then restart the service. Now - the permissions part, right-click on drive C:\ and choose = properties -> security tab. Now, add the user "apache_user" and deny its access. - yes! Deny it! After denying, go to the apache home dir and right-click and properties again, make sure you BLOCK inheritent permissions from parent folder, = and give this user "change" permissions, do the same thing on the c:\www = folder that you have. That would deny that user from doing ANYthing in your system except = running the service and "changing" these folders contects. That's a VERY strict permissions solution if its that urgent for you. All the best, Jeff Cohen Support@GEJ-IT.com Tel. (416) 917-2324 www.GEJ-IT.com GEJ-IT Networks! > -----Original Message----- > From: Vildan [mailto:vildan@origincode.com] > Sent: Wednesday, July 23, 2003 9:06 PM > To: users@httpd.apache.org > Subject: SV: [users@httpd] Setting access for users - Apache, Win32 >=20 > hello, >=20 >=20 > I have tried with this: >=20 > > Order Deny,Allow > Deny from all > >=20 > and it worked. I couldn't execute a PHP script that creates a file in > "tmp" directory. >=20 > But when I tried: >=20 > > Order Deny,Allow > Deny from all > >=20 > and / or: >=20 > > Order Deny,Allow > Deny from all > >=20 > It didn't worked. >=20 > I have tried to replace location with directory and it didn't worked. >=20 > I am stuck. > Please Help! >=20 >=20 > Regards, >=20 > - Vildan >=20 >=20 > > > > Try something like that: > > > > > > Order deny,allow > > Deny from all > > > > > > > > Order deny,allow > > Deny from all > > > > > > and so one where you want to block the access, but make sure > > that the directory c:/www has the right permissions and it > > does not inherited. > > > > I'm not familier with permissions thru PHP or CGI, I know > > Apache can do it, otherwise each and every hosting company > > would have been in big time troubles. > > > > All the best, > > Jeff Cohen > > Support@GEJ-IT.com > > Tel. (416) 917-2324 > > www.GEJ-IT.com > > GEJ-IT Networks! > > > > >=20 > > > > > > Users upload their files through the FTP. > > > > > > But it's not either impossible for them to create > > 'upload-script' with > > > PHP or CGI and put in in their home, and execute it. > > > > > > There is no protection against CGI scripts either. And yes, > > they could > > > execute anything. > > > > > > suexec is a bit complicated process and need recompiling of > > the Apache > > > source. > > > > > > Isn't there ant other way to stop users from executing/running > > > scripts/binaries outside their 'home' directory ? > > > > > > Here's an exmaple > > (http://se2.php.net/manual/en/security.apache.php) > > > of locking the scripts to their = VirtualHost-DocumentRoot-dirctories: > > > > > > ------------------------------------------------------ > > > > > > You can set open_basedir dynamically for every virtual host > > you have, > > > so every PHP script on a virtual host is jailed to its > > document root. > > > > > > Example: > > > > > > ServerName www.example.com > > > DocumentRoot /www-home/example.com > > > [...] > > > > > > php_admin_value open_basedir \ "/www- > > > home/example.com/:/usr/lib/php/" > > > > > > > > > > > > If you set safe_mode on, then the script can only use binaries in > > > given directories (make a special dir only with the binaries your > > > customers may use). > > > > > > Now no user of a virtual host can read/write/modify the data of > > > another user on your machine. > > > > > > ------------------------------------------------------ > > > > > > Isn't there any similar directive for Apache to limit user to = their > > > 'home' directory ? > > > > > > Is possible to use .htaccess here for limitation ? > > > > > > > > > regards, > > > > > > - Vildan > > > > > > > > > > How does your users upload files to the server? > > > > You do not have any protection against CGI scripts > > running on your > > > > server, it's like having your clients running .exe files on the > > > > system. What you can do is to add the users to the Windows 2000 > > > > itself and use suexec. > > > > > > > > All the best, > > > > Jeff Cohen > > > > Support@GEJ-IT.com > > > > Tel. (416) 917-2324 > > > > www.GEJ-IT.com > > > > GEJ-IT Networks! > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > > > > > I run Apache 2.0.47 on Windows 2000 Server platform with PHP > > > > > support. > > > > > > > > > > I have recently discovered that somebody created files outside > > > > > their home directory and put them in root folder c:\ > > > > > > > > > > My configuration is as follows: > > > > > > > > > > - Multiple websites are hosted on the web server using > > virtual hosts > > > > > and domain name based configuration (not ip-based). > > > > > > > > > > ... > > > > > > > > > > > > > > > ServerAdmin webmaster@website.com > > > > > DocumentRoot c:\www\website\www > > > > > ServerName www.website.com > > > > > ErrorLog c:\www\website\log\error_log > > > > > TransferLog c:\www\website\log\access_log > > > > > > > > > > > > > > > > > > > > ServerAdmin webmaster@website2.com > > > > > DocumentRoot c:\www\website2\www > > > > > ServerName www.website2.com > > > > > ErrorLog c:\www\website2\log\error_log > > > > > TransferLog c:\www\website2\log\access_log > > > > > > > > > > > > > > > ... > > > > > > > > > > Those websites are stored in: > > > > > > > > > > c:\www <--- DocumentRoot "C:/www" > > > > > > > > > > > > > > > So each website has it's own 'home' as for virtual hosts = above: > > > > > > > > > > c:\www\website\www > > > > > > > > > > c:\www\website2\www > > > > > > > > > > > > > > > Currently, if some user uploads a executable script > > (PHP/CGI) into > > > > > his home directory (e.g. c:\www\website2\www), he is > > able e.g. to > > > > write > > > > > a file in c:\www\website\www or c:\ (root). > > > > > > > > > > 1. > > > > > How can I limit users and their executable scripts to be > > > > > run/executed only in their own 'home' (e.g. = c:\www\website\www) > > > > > directory, and limit their access to their DocumentRoot only ? > > > > > > > > > > > > > > > Best Regards, > > > > > > > > > > - Vildan > > > > > > > > > > >=20 >=20 >=20 > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server = Project. > See for more info. > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > " from the digest: users-digest-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org