You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Wim Godden <wi...@godden.net> on 2002/09/14 11:53:20 UTC

[users@httpd] suexec providing access to other user's files

I've installed suexec and want to use it to allow people to run cgi
programs.
All my hosting accounts are located in /hosting

Suppose the following situation :
- User A has a domain name usera.com
- User B has a domain name userb.com
- User A will have his files in /hosting/usera.com/www/cgi-bin and
/hosting/usera.com/www/html
- User B will have his files in /hosting/userb.com/www/cgi-bin and
/hosting/userb.com/www/html
- suexec is installed with a docroot of /hosting/ and a safe-path of
/usr/local/bin:/usr/bin:/bin
- The suexec caller is nobody and the uid and gid is nobody as well.

Now, when user A has simple ksh-script containing this :
#!/usr/bin/ksh
print "\n"
cat /hosting/userb.com/www/html/index.html

Then the index.html is shown. It gets even worse if he reads files with
passwords.


How can I stop users from reading eachother's files ? I can't put the
directory on 700, because then Apache won't be able to read it anymore,
right ?

Greetings,

Wim


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] suexec providing access to other user's files

Posted by Joshua Slive <jo...@slive.ca>.

On Sat, 14 Sep 2002, Wim Godden wrote:

> I've installed suexec and want to use it to allow people to run cgi
> programs.

> Now, when user A has simple ksh-script containing this :
> #!/usr/bin/ksh
> print "\n"
> cat /hosting/userb.com/www/html/index.html
>
> Then the index.html is shown. It gets even worse if he reads files with
> passwords.
>
>
> How can I stop users from reading eachother's files ? I can't put the
> directory on 700, because then Apache won't be able to read it anymore,
> right ?

All suexec does is change the userid that the cgi runs under.  It is your
responsibility to set permissions on files such that the relevant userid
can only access the files that you want.  One clue: create a "groupa" that
contains "usera" and "apache" (or whatever user the web server runs
under).  Then change the permissions of all files under usera.com so that
only groupa can read them and only usera can write them.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org