Security Basics mailing list archives
Re: Unix Permissions: Using groups to isolate users from webserver
From: Alexander Klimov <alserkli () inbox ru>
Date: Tue, 30 Nov 2004 17:54:14 +0200 (IST)
On Mon, 29 Nov 2004, drax wrote:
I am running a server, which has user accounts accessible through ssh and is running a few services, moreover, apache for serving http. Some of these users have vhosts, and therefor apache goes in various user's home dir to fetch the webpages. I need the users to have full control of their vhost'ed files, and that is why they are in their respective $HOME and belong to them.
Note that it does not matter where the file resides -- to be readable/writable the only thing matters is its access mode.
Some of their web pages (php scripts,etc) need to be able to write to the filesystem. Therefor apache must be able to write in those particular parts of their $HOME. Additionally, some of their web scripts (conf files with SQL passwords, etc), need to be protected from other users. But obvisouly, still be accessible by apache. The way I solved this problem is the following: [...] Do you believe my setup is correct and up to the task, or could it be circumvented in a matter of minutes?
Since your webserver is always executed with the same UID which allows to read/write all users' data then every user who can execute something on it has exactly the same abilities. The proper way to solve your problem is to execute scripts with UIDs of respected users: http://httpd.apache.org/docs/suexec.html Note, that since usually php executed inside httpd you need to switch to CGI mode or use different UIDs for httpds for different vhosts (AFAIK this is greatly simplified by Apache 2). -- Regards, ASK
Current thread:
- Re: Unix Permissions: Using groups to isolate users from webserver Alexander Klimov (Nov 30)
- Re: Unix Permissions: Using groups to isolate users from webserver drax (Dec 01)
- Re: Unix Permissions: Using groups to isolate users from webserver Alexander Klimov (Dec 02)
- Re: Unix Permissions: Using groups to isolate users from webserver lists (Dec 02)
- Re: Unix Permissions: Using groups to isolate users from webserver drax (Dec 01)