httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary Smith" <>
Subject [users@httpd] Apache 1.3 or 2.0 configuration question
Date Wed, 10 Mar 2004 23:02:41 GMT
We have multiple sites that run on the same box with apache 1.3.28.  The sites are running
as virtual hosts using a set of shared IP's.  We have a common directory structure for these
sites /usr/home/sitename/www that has all of the content in it.  The problem is that the directories
have 755 set on them.  Some of the more creative users have found a way to read the content
of the other sites by traversing the filesystem.  So we implemented the basedir in PHP which
has helped.  So the users has telneted into the box and can traverse the files as a normal
user (755).  This user has since been booted... 
As these sites are configured with a common set of directory structures /usr/home/somesite/www/catalog/config/mypasswordfile.php
it is easy for them to guess what the path for somesite2 would be.
What is the best way to protect the content of the virtual host directory, allowing only the
user or apache to read the file.  I was think about the user/group directive user 1.3.x for
each virtual host and then specifiying username / users as the access level then running a
chmod 700 on the directories. My readings leave me to believe that under 1.3.x this directive
only works for CGI's.
If I'm going to recompile everything then I can also look at using 2.0.x for this.
Is there a good way to do this?  How do other ISP's enfoce this?
Gary Smith
View raw message