Return-Path: 
 <users-return-47137-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: (qmail 78016 invoked from network); 19 Nov 2004 17:18:53 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur-2.apache.org with SMTP; 19 Nov 2004 17:18:53 -0000
Received: (qmail 27225 invoked by uid 500); 19 Nov 2004 17:18:38 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 27194 invoked by uid 500); 19 Nov 2004 17:18:38 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
list-post: <mailto:users@httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 27081 invoked by uid 99); 19 Nov 2004 17:18:36 -0000
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=FORGED_RCVD_HELO
X-Spam-Check-By: apache.org
Received-SPF: neutral (hermes.apache.org: local policy)
Received: from [195.130.132.44] (HELO poros.telenet-ops.be) (195.130.132.44)
  by apache.org (qpsmtpd/0.28) with ESMTP; Fri, 19 Nov 2004 09:18:33 -0800
Received: from localhost (localhost.localdomain [127.0.0.1])
	by poros.telenet-ops.be (Postfix) with SMTP id 9BA8E3BC1D5
	for <users@httpd.apache.org>; Fri, 19 Nov 2004 18:18:23 +0100 (MET)
Received: from viper.home.smets.cx (D5775C12.kabel.telenet.be [213.119.92.18])
	by poros.telenet-ops.be (Postfix) with ESMTP id 5F3CD3BC0D1
	for <users@httpd.apache.org>; Fri, 19 Nov 2004 18:18:23 +0100 (MET)
Received: from localhost (localhost [127.0.0.1])
	by viper.home.smets.cx (Postfix) with ESMTP id A56161204B9
	for <users@httpd.apache.org>; Fri, 19 Nov 2004 18:18:22 +0100 (CET)
Received: from viper.home.smets.cx ([127.0.0.1])
	by localhost (viper [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
	id 18474-02 for <users@httpd.apache.org>;
	Fri, 19 Nov 2004 18:18:11 +0100 (CET)
Received: by viper.home.smets.cx (Postfix, from userid 1000)
	id 5722C188007; Fri, 19 Nov 2004 18:18:11 +0100 (CET)
Date: Fri, 19 Nov 2004 18:18:11 +0100
From: Smets Jan <jan@smets.cx>
To: users@httpd.apache.org
Message-ID: <20041119171811.GA18054@smets.cx>
References: <20041119131351.GA17528@smets.cx>
 <004701c4ce53$506f85f0$0100a8c0@MEDIONPC>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
In-Reply-To: <004701c4ce53$506f85f0$0100a8c0@MEDIONPC>
User-Agent: Mutt/1.5.6+20040907i
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at smets.cx
X-Virus-Checked: Checked
Subject: Re: [users@httpd] Userdir
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N




On 2004-11-19 17:17:48 (+0100), Ralf Glauberman <rglauberman@michaeli-gymnasium.de> wrote:
> try the php-save-mode options, php will be able to change the dir but not 
> to read files from other users.

Safe_mode is already enabled, but I really want things tightent down.

Thanks for your feedback.


> ----- Original Message ----- 
> From: "Smets Jan" <jan@smets.cx>
> To: <users@httpd.apache.org>
> Sent: Friday, November 19, 2004 2:13 PM
> Subject: [users@httpd] Userdir
> 
> 
> >Hello list,
> >
> >I have a question regarding mod_userdir and 'system security'
> >
> >"Userdir public_html" gives the effect of
> >http://host.tld/~user1 -> /home/user1/public_html
> >htpp://host.tld/~user2 -> /home/user2/public_html
> >etc.
> >
> >As you all know, with php enabled, www-data can access all public_html 
> >dirs,
> >and read all files in the public_html dir of other users.
> >To solve this problem i'm looking for a way to lockdown 
> >http://host.tld/~user1
> >into /home/user1/public_html
> >(in other words, http://host.tld/~user1 links to /home/user1/public_html 
> >and
> >php shouldn't be able to change dir to /etc orso)
> >
> >When using vhosts there is a option named php_admin_value open_basedir 
> >/path/
> >
> >Unfortunately, when using mod_userdir there are not much options
> >
> ><Directory /home/*/public_html> , where * is interpolated to all dirs in 
> >/home
> >having a /public_html subdir.
> >So I was thinking of doing the same thing, like php_admin_value 
> >open_basedir
> >/home/*/public_html, but of course this didn't work ;)
> >
> >A workaround could be creating a seperated vhost file for every user with
> >open_basedir /home/$user/public_html, but I prefer not doing this.
> >
> >Anyone has any other ideas to achieve the same result?
> >
> >Thanks in advance.
> >
> >-- 
> >Smets Jan
> >jan@smets.cx
> >
> >
> >---------------------------------------------------------------------
> >The official User-To-User support forum of the Apache HTTP Server Project.
> >See <URL:http://httpd.apache.org/userslist.html> for more info.
> >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >  "   from the digest: users-digest-unsubscribe@httpd.apache.org
> >For additional commands, e-mail: users-help@httpd.apache.org
> >
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org

-- 
Smets Jan
jan@smets.cx


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org