Security Basics mailing list archives
Re: Unix Permissions: Using groups to isolate users from webserver
From: lits <lists () innocence-lost net>
Date: Thu, 2 Dec 2004 11:32:02 -0700 (MST)
four points to be made:
Special note: Use of this directive in <VirtualHost> requires a properly configured suEXEC wrapper. When used inside a <VirtualHost> in this manner, only the user that CGIs are run as is affected. Non-CGI requests are still processed with the user specified in the main User directive. <<<
However, without the aid of another bug in apache- one cannot view the files from virtual host X from virtual host Y (unless of course virtual host Y exists inside of X).
You are absolutely right -- this is what I tried to explain. Note that this also means that no acl's can help you.
rsbac (rsbac.org) has an extension of sorts that allows one to use role based acl's with apache, thus eliminating all of 'those' problems, the downside is that a new child is spawned for each request _because_ of the fact you cannot switch roles back, acl's can help here. ACL's would stop the 'inheriting' of parent priv's, especially role based acl's.
PHP can be run as apache module (that is inside apache) which makes suexec impossible or you can install it separately and make your PHP scripts usual unix scripts: start them with #!/usr/local/php/bin/php and chmod +x them.
Assuming Linux, you can enable misc binary formats in the kernel, then register php scripts with the kernel and you won't need to edit every php script or force all of your users to do so. They will however, require +x permissions, as all CGI's do.
As for running a apache process per user, doesn't that get cumbersom if you start having alot of users?It is not that cumbersome if you use Apache 2: http://httpd.apache.org/docs-2.0/mod/perchild.html#assignuserid
I am not incredibly familar with apache 2, but a couple notes on the subject- i wouldnt run apache 2 just out of security concerns (compare the number of advisories), but regardless of how the user space does things, forking hundreds/thousands of processes a second will be expensive regardless of what userland does. The best you could hope for here is that the child doesn't write to any memory (unlikely) and thus avoid's allocating a clean address space, because thats kinda unlikely, its expensive regardless.
-- Regards, ASK
Current thread:
- Re: Unix Permissions: Using groups to isolate users from webserver Alexander Klimov (Nov 30)
- Re: Unix Permissions: Using groups to isolate users from webserver drax (Dec 01)
- Re: Unix Permissions: Using groups to isolate users from webserver Alexander Klimov (Dec 02)
- Re: Unix Permissions: Using groups to isolate users from webserver lits (Dec 02)
- Re: Unix Permissions: Using groups to isolate users from webserver lists (Dec 02)
- Re: Unix Permissions: Using groups to isolate users from webserver Alexander Klimov (Dec 02)
- Re: Unix Permissions: Using groups to isolate users from webserver drax (Dec 01)