Security Basics mailing list archives
Re: Apache: limiting the execution place
From: "Tim Greer" <chatmaster () charter net>
Date: Mon, 16 Jun 2003 10:49:27 -0700
From: "Nebi Gurbanov" <nebi () itu edu tr> To: <security-basics () securityfocus com> Sent: Monday, June 16, 2003 6:39 AM Subject: Apache: limiting the execution place
Greetings, I want to know your opinions for the case below; I have severel users whose home directories lay in /home directory . Each user has a public_html directory in his/her home directory ,like ; /home/user_name/public_html Permissions of directories "user_name" and "public_html" must be at least 701 , so that web pages can be viewed . But there is another case , any of the users can "cd" to parent directory (/home in this case) , and then to "another_usersname" directory (which is home directory of any other user), and then to public_html and can view all the readable file in public_html (even in "another_usersname" directory). It can also be done via php and cgi (Ok,I know setting "safe mode on" in php will prevent it, but I want a global solution). What I want to do is preventing one user from getting into another user's home directory and reading his/her files . Has anybody ever made a design that does the thing I want to have !? Thanx ..
Hi, Either implement the SuEXEC CGI wrapper and run PHP as CGI (you can put in a patch or hack the core source yourself (it's very simple) to make it to no user's have to change their scripts at all), or you will have to wait for Apache 2.x's MPM module to be out of BETA and use that to run each virtual host (not just CGI , but modules as well) as the user's own uid, or you will have to do some hacking of the Apache and PHP source to accomplish this )the most challenging). Then you can set user's home directories to 710 or 750 and deny 'world' access to read, write or execute any file(s) within their account directory, no matter what their permissions and ownership are set to beyond that account's parent directory (and then set Apache to run off of a special group and set all the user's parent home directories to that group). The first being the most simple solution, the second being you "wait" and the third would be an enjoyable challenge. However, if you're doing this for Apache 1.x, you'll be wasting your time, as Apache 2.x is soon to become the standard when all the modules will work for it after they are modified to work in Apache 2.x and the MPM module will probably be done by then. The point being, your patch or modifications to accomplish this will not be compatible once you upgrade. If you want to do this for 2.x, go for it, but MPM will likely be complete by then. I'd recommend doing the first solution and running PHP as CGI with SuEXEC. It will allow you to secure the server for PHP and CGI scripts, as well as FTP, shell, mail, etc. and kill a lot of birds with one stone--not to mention you have the control with rlimit*'s to make sure no dumb user's script can crash your server. A little trade off in overhead will give you better control and security, and again, you can apply a patch against the Apache source to make it so no user's have to change their PHP scripts. I've done the above solution for a couple of years without even one problem. Once Apache 2.x has more popular/common modules working with it (most do now), and MPM is ready, you have your solution. A web hosting provider I know of has been fighting with a custom modification for Apache 1.x for many, many months now and every time they think they have it ready, things break. I was going to attempt this myself a couple of years ago, and I regret not doing it. However, (and at least now) to me, it seems like a huge waste of time to apply such a thing to the 1.x source, I recommend waiting for MPM to be ready. -- Regards, Tim Greer chatmaster () charter net Server administration, security, programming, consulting. --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- Apache: limiting the execution place Nebi Gurbanov (Jun 16)
- Re: Apache: limiting the execution place Chris Ess (Jun 16)
- Re: Apache: limiting the execution place Boris Dragovic (Jun 16)
- Re: Apache: limiting the execution place exon (Jun 17)
- Re: Apache: limiting the execution place Jonas Acres (Jun 17)
- Re: Apache: limiting the execution place exon (Jun 18)
- Re: Apache: limiting the execution place Tim Greer (Jun 18)
- Re: Apache: limiting the execution place Tim Greer (Jun 17)
- Re: Apache: limiting the execution place Chris Ess (Jun 16)