httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Ricar <>
Subject Re: [users@httpd] suexec for another user
Date Thu, 12 Aug 2010 17:02:21 GMT
Phil Howard wrote:
> I don't understand what it is you are doing, so I cannot comment on
> whether it is common or not, or even secure.  A test to detect if
> others can write a file that would be executed is a critical test on a
> multi-user machine.  Similarly, testing if all parent directories can
> be written by others is important, too (otherwise, someone could move
> names around at some directory level to get their executable to be
> used).

I am making a new system for midsize webhoster, so there are many users,
many sites for them and more levels of privileges than simple user and
root. It consists of 10+ virtual systems now and will grow as required
in the future, mainly with more worker systems using apache with this or
other kind of su.

I need to protect all the sites from themselves - have one unix uid for
upload and file management and another for actual run of the site.
Basicaly every site has these two plus there are priviledged master
accounts for some different groups of sites. I can secure that there is
simply no acces to any unprivilegeled some directory levels above site
code, every site structure is created by root and privileges+acls are
set on the lowest possible level.

Sftp requires for chroot, that target directory or anything above it is
writable by anyone except root, so everything above is well protected
and I want to fiddle at lowest level of the structure.

Is it better if I relax the tests to main group of that user? It would
mean that some users get listed in thousands of groups, which seems
worse to me.

If anyone knows about some usefull article I semm missed while googling,
that would enlighten me, I'd be thankful too. I is my job, but I try to
make the last piece sorted out the best possible way and eventualy, I
went here.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message