Re: Apache: limiting the execution place

["Tim Greer" <chatmaster () charter net>]

From: "Nebi Gurbanov" <nebi () itu edu tr>
To: <security-basics () securityfocus com>
Sent: Monday, June 16, 2003 6:39 AM
Subject: Apache: limiting the execution place


> Greetings,
> I want to know your opinions for the case below;
>
> I have severel users whose home directories lay in /home directory .
> Each user has a public_html directory in his/her home directory ,like ;
> /home/user_name/public_html
> Permissions of directories "user_name" and "public_html" must be at
> least 701 , so that web pages can be viewed .
> But there is another case , any of the users can "cd" to parent
> directory (/home in this case) , and then to "another_usersname"
> directory (which is home directory of any other user), and then to
> public_html and can view all the readable file in public_html (even in
> "another_usersname" directory). It can also be done via php and cgi
> (Ok,I know setting  "safe mode on" in php will prevent it, but I want a
> global solution).
>
> What I want to do is preventing one user from getting into
> another user's home directory and reading his/her files .
> Has anybody ever made a design that does the thing  I want to
> have !?
>
>
> Thanx ..

Hi,

Either implement the SuEXEC CGI wrapper and run PHP as CGI (you can put in a
patch or hack the core source yourself (it's very simple) to make it to no
user's have to change their scripts at all), or you will have to wait for
Apache 2.x's MPM module to be out of BETA and use that to run each virtual
host (not just CGI , but modules as well) as the user's own uid, or you will
have to do some hacking of the Apache and PHP source to accomplish this )the
most challenging).

Then you can set user's home directories to 710 or 750 and deny 'world'
access to read, write or execute any file(s) within their account directory,
no matter what their permissions and ownership are set to beyond that
account's parent directory (and then set Apache to run off of a special
group and set all the user's parent home directories to that group).

The first being the most simple solution, the second being you "wait" and
the third would be an enjoyable challenge. However, if you're doing this for
Apache 1.x, you'll be wasting your time, as Apache 2.x is soon to become the
standard when all the modules will work for it after they are modified to
work in Apache 2.x and the MPM module will probably be done by then. The
point being, your patch or modifications to accomplish this will not be
compatible once you upgrade.

If you want to do this for 2.x, go for it, but MPM will likely be complete
by then. I'd recommend doing the first solution and running PHP as CGI with
SuEXEC. It will allow you to secure the server for PHP and CGI scripts, as
well as FTP, shell, mail, etc. and kill a lot of birds with one stone--not
to mention you have the control with rlimit*'s to make sure no dumb user's
script can crash your server. A little trade off in overhead will give you
better control and security, and again, you can apply a patch against the
Apache source to make it so no user's have to change their PHP scripts.

I've done the above solution for a couple of years without even one problem.
Once Apache 2.x has more popular/common modules working with it (most do
now), and MPM is ready, you have your solution. A web hosting provider I
know of has been fighting with a custom modification for Apache 1.x for
many, many months now and every time they think they have it ready, things
break. I was going to attempt this myself a couple of years ago, and I
regret not doing it. However, (and at least now) to me, it seems like a huge
waste of time to apply such a thing to the 1.x source, I recommend waiting
for MPM to be ready.
--
Regards,
Tim Greer  chatmaster () charter net
Server administration, security, programming, consulting.


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------