httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sam Lavitt <...@lavitt.net>
Subject Re: [users@httpd] Apache 2.2 security concern
Date Sat, 12 May 2007 08:51:37 GMT
Nick Kew wrote:

>On Fri, 11 May 2007 23:01:12 -0500
>Sam Lavitt <sam@lavitt.net> wrote:
>
>  
>
>>I am wondernig if apache 2.2 has a means to prevent a user with a
>>site hosted on the server, from accessing another users files.
>>    
>>
>
>That's the operating system's business.
>
>  
>
>>	  (e.g.
>>I have /hosting/user1, and I don't want him to be able to run a
>>script to open /hosting/user2/password-file)
>>    
>>
>
>You mean protect user2 from possible consequences of idiocy?
>Read up on suexec for scripts.  And consider using group permissions.
>
>  
>
>>	  I read someplace that
>>there was a mpm for apache 1.3 that would restrict the child threads
>>spawned for each request to files that could be accessed by a
>>specific user account, but I can find no such mpm for apache 2.2.
>>    
>>
>
>An MPM is to 1.3 as a bicycle to a fish.
>
>  
>
Sorry for my lack of clarity and experience, I came here looking for 
advice and help.

Based on my research, suexec only works for SSI and CGI, so it would be 
pointless for providing security with php, and doing mass-hosting, php 
is something in pretty common use.  And I am sorry, I mis-spoke, the mpm 
was mpm_perchild for apache 2.0, which apparently is abandoned and 
broken. (see http://httpd.apache.org/docs/2.0/mod/perchild.html )  I 
lack the programing skills that would be needed to repair it unfortunately.

So is there anything that is functional, maintained, and would allow me 
to provide the security that would be needed, ideally apache 2.2, if 
not, at least 2.0?  Or any other webserver which can provide the 
security needed?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message