httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mikkel Christensen <mik...@talkactive.net>
Subject Re: [users@httpd] Apache refuses to start when it's user is member of to many groups
Date Fri, 07 May 2004 23:01:21 GMT
On Friday 07 May 2004 14:11, Gary Smith wrote:
> Here is what I did while playing around.
> 
> * Apache runs under apache.apache.
> * Each user is user.nobody.
> * Users are not a member of any other group (important for the next
> part)
> * Users home dirs are drwx---r-x (705)
> * Users htdocs directory would be /home/username/htdocs
> * Users web dirs are drwx---r-x (705)
> * Logs are kept in the directory /var/log/users/username
> * Log file directory (/var/log/users/user) is owned by user.nobody
> * Log file directory permissions is dr-x------ (500)
> * open_basedir setting is /home/user;/usr/local/horde, etc... (we have
> an alias for a common shared horde install.
> 

Why not use user.user as owner/group?
Why do you use nobody as group?
The reason for using the same group for all users should be if apache is member of that group
thus gaining group access to all files through it's membership.
Or did have I misunderstood your point?

> 
> I think it's pretty secure overall as no users on the system will be in
> any other group than nobody.  They can FTP to their home directories
> only (proftpd).  Apache is fairly locked when it comes to what they can
> script with PHP.

What about executing system commands in php?
echo `cat /home/username/htdocs/secret_password_file`;
Also the function system() could be used.

Also php when creates files they will be owned by apache.apache. (since apache runs php under
it's own user)
Meaning the users will not have access to these files through their ftp. So still there are
some issues.
I myself have not yet found a sollution to this.

> 
> If they get bold and write some scripts later in the future and run them
> they will be running under the suexec.  This will make the scripts run
> as user.nobody.  This will prevent them from looking around into other
> users worlds as nobody has zero permissions.
> 

 But if the script is run as user.user instead you wouldn't have to bother setting nobodys
permissions to zero right?
In my oppinion it would give the same result but you wouldn't have to change permissions for
the group.

- Mikkel

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message