httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Ricar <...@ethernet.cz>
Subject Re: [users@httpd] suexec for another user
Date Fri, 13 Aug 2010 01:13:40 GMT
Phil Howard wrote:
> On Thu, Aug 12, 2010 at 13:02, David Ricar <reg@ethernet.cz> wrote:
> [...]
> 
> Sorry, I'm still not understanding what you are doing.  I didn't
> understand why you need two users per each site.

J. Greenlees wrote:
> I believe the standard method of doing this to completely lock the
> server from allowing a file system traversal to another client's website
> is chroot. /home/username being the top level for everything as far as
> they are concerned.
...
> if you want to allow multiple logins to traverse the accounts entire
> directory tree, you are allowing a hole in security anyway. the only fix
> is to have it only writable by the owner, none of the other ftp logins
> can write anywhere but in the ftp folder.

If site is writable by user running apache, it could be owerwritten.
Many bugs, that are useless in single user for whole apache (and
multiple for ftp) grow to huge potential problem. Eny exploit, that
pases further could be used far easier and so on.
Because there is a need of high level admins of groups of sites (no root
for these), there is need for more than a single writing user anyway.

I wrote in the very beginning that I consider requirement for self
rewrite of whole web as security hole too. Is it too odd?


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message