httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J. Greenlees" <li...@jaqui-greenlees.net>
Subject Re: [users@httpd] suexec for another user
Date Thu, 12 Aug 2010 21:12:25 GMT
David Ricar wrote:
> Hello,
~snip~
> So my concept is based on two basic users for every website - one for 
> ftp and another for suexec run. Homedir of both is one level above any 
> website data and it is owned by root, ftp is chrooted there. If suexec 
> would be able to just check if code is in users homedir, I'd have what I 
> need. This way, I could limit where the web is able to rewrite itself - 
> make it as safe as possible with dynamic pages.
I believe the standard method of doing this to completely lock the 
server from allowing a file system traversal to another client's website 
is chroot. /home/username being the top level for everything as far as 
they are concerned.

I have seen on multiple hosting services where there is a "system" in 
/home/username and nothing above it at all, yet it's identified as 
/home/username.
This tells me they are using chroot for even httpd, with the minimal 
system needed for the services to run properly copied into the userdir.

This makes the PRIMARY login the suexec user. extra logins [ such as for 
ftp access ] do not have suexec access at all. and only the primary 
login is not in a chroot ftp login stopping even getting into 
/home/username.

if you want to allow multiple logins to traverse the accounts entire 
directory tree, you are allowing a hole in security anyway. the only fix 
is to have it only writable by the owner, none of the other ftp logins 
can write anywhere but in the ftp folder.

Jaqui

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message