Re: Apache: limiting the execution place

[exon <exon () home se>]

I don't quite see the point, or I've misunderstood what you're asking for.
Do you want to block local users from seeing what global users can? What
hinders the local users from getting it anyway through the webserver
instead?

/Andy



On Mon, 16 Jun 2003, Chris Ess wrote:

> Comments below.
>
> > Greetings,
> > I want to know your opinions for the case below;
> >
> > I have severel users whose home directories lay in /home directory .
> > Each user has a public_html directory in his/her home directory ,like ;
> > /home/user_name/public_html
> > Permissions of directories "user_name" and "public_html" must be at
> > least 701 , so that web pages can be viewed .
> > But there is another case , any of the users can "cd" to parent
> > directory (/home in this case) , and then to "another_usersname"
> > directory (which is home directory of any other user), and then to
> > public_html and can view all the readable file in public_html (even in
> > "another_usersname" directory).
> > It can also be done via php and cgi
> > (Ok,I know setting  "safe mode on" in php will prevent it, but I want a
> > global solution).
>
> One solution would be to chgrp the directories under /home to 'www' (or
> whatever group apache runs as) and then use permissions 710.  Then users
> would not be able to gain entry into the home directories of other uers
> through the shell or FTP.
>
> Disabling access through PHP and CGI would be a bit tricker.  I think you
> can use suexec to force any CGI scripts to run as the user who owns it.
> I have not tried this myself, so I do not know if it will work. (I suggest
> reading the following page on suexec:
> http://httpd.apache.org/docs/suexec.html )
>
> As far as limiting PHP...  You may have to rely on enabling safe mode amd
> then setting the doc_root setting for each variable to the user's home
> directory.  Another method, although a bit nastier, is that, for any user
> who wishes to run PHP, you assign them a PHP CGI which is owned by them
> and then you can run that through suexec as well.
>
> There may be other ways to do this.  I've never really thought about
> setting this up.  Maybe I'll try it later tonight.
>
> I hope this helps.
>
> Sincerely,
>
>
> Chris Ess, CDTT (Certified Duct Tape Technician)
>
> ---------------------------------------------------------------------------
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
> The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> while InStat has confirmed Neoteris as the leader in marketshare.
>      
> Find out why, and see how you can get plug-n-play secure remote access in
> about an hour, with no client, server changes, or ongoing maintenance.
>           
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------