httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary Smith" <g...@primeexalia.com>
Subject RE: [users@httpd] Virtual hosting user problem
Date Fri, 16 Apr 2004 16:15:12 GMT
After testing I must say that you are correct.  I have another question then that hopefully
people here can answer.
 
We have to be able to host 20 sites per box.  Each site has access to a MySQL db that contains
a variety of information.  We are trying to find a way to secure the user directories in such
a way that apache can continue to access the files in a read only state but other users can't.
 The directory must be accessible via FTP to the client so they can upload data files and
download log files.  The users must also have shell access.
 
In the past we have put all of the client files into a special directory that is not accessible
via a shell account.  /usr/fileshare/websites/* (chmod 750 chowned fileserv.apache).  We used
proftpd for uploading files using aliasing and a user lookup file.  This has worked well for
our low end web sites.  We now have a new product that requires the end users to have shell
access to their web files.  
 
As we have been testing some new configurations with a couple clients we have run into the
problem that we have mentioned earlier.  A client can delete the directory and boom, the restart
of apache fails.  
 
The other problem is the security.  We decided with using their home directory for simplicity
and then changing the folder permissions to 704 so apache could read the web files but other
users couldn't.
 
Is there a better way to do this?
 
 

________________________________

From: Joshua Slive [mailto:joshua@slive.ca]
Sent: Fri 4/16/2004 5:14 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Virtual hosting user problem




On Thu, 15 Apr 2004, Gary Smith wrote:

> Makes sense.  Maybe for the logs directory it will be owned by root.root
> chmod 744.  For the www directory it will be owned by client.nobody
> chmod 704 (apache is other so it can still read).  The hidden file in
> the www directory will be owned by root.root 444.  This should be secure
> enough to stop them from deleting their directories and still allow
> apache to run properly.
>
> They don't have to have write access to the logs but they do have to
> have private read access to them.  They currently FTP the log files
> daily and will continue to need to do so.
>
> Thanks for all of the help guys.  I have received a lot of help today.

I think you're still in trouble.  Anyone with write access to a directory
can delete anything in that directory, regardless of ownership.

The usual solution is to put all the log directories in a root-owned
location and provide symlinks from the user-owned location.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message