httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Andersson" <rob...@profundis.nu>
Subject Re: [users@httpd] Prevent Users from reading other webroots
Date Fri, 18 Jun 2004 14:54:10 GMT
Zoup wrote:
> on some hosting server , which users use /home/*/public_html as their
> VritualHost server , the problem is that user can run some script on their
> own home directory and read other webroots content , for example :
>
> /home/user1/public_html/thief.php
> are able to read :
> /home/user2/public_html/file.ext

When having PHP as a module and CGI's generally without SuExec, they will
run with the permissions of Apache, which of course must be able to read
those files.

The solution for CGI's is to use SuExec so they are executed by the
corresponding user, and have file permissions setup so that users cannot
read/execute eachother's files. That can be tricky, see:
    http://httpd.apache.org/docs-2.0/suexec.html

For PHP, there are a few options (of which I'm not very experienced) that
can control security. I know there are ways to disable "dangerous" functions
(such as system() etc) and limit functions such as read() so they cannot
read stuff outside the document root. See PHP's configuration file, and
there should be stuff about it here:
    http://www.php.net/manual/en/security.index.php

You can also, as do many shared-hosting companies, run PHP as a CGI + SuExec
instead of module.

Regards,
Robert Andersson


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message