You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Steve <st...@iprimus.com.au> on 2002/11/20 11:27:06 UTC
[users@httpd] Secureing web folders
Hey,
Using apache web server running under user www and group www
This make it so apache reads all files as user www and group www.
I was wondering how u would protect a user from writing a php file to like
view the contents of like another users web files..
Just say user1 has a
~/web/config.php (which he/her dose not want anyone else to see)
Now user2 could write a php script to
cat /home/user1/web/config.php (which therefor steal all his/her data)
How would one stop this from happing?
/Steve
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Secureing web folders
Posted by Robert Andersson <ro...@profundis.nu>.
Steve wrote:
> So there is no real way of making a folder really secure?
>
> Is there an how-to on php as cgi? So i can make suexec run on it.
I think PHP has an option to only allow access to files that lives under
that VHost's DocumentRoot, which could provide that sefety. I haven't yet
experimented with that feature myself, so I don't know if it really works
that way.
Regards,
Robert Andersson
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Secureing web folders
Posted by Steve <st...@iprimus.com.au>.
Ok thanks for the input..
I would prefer not to update to apache2 yet, as it is still in expermintal
stages..
So there is no real way of making a folder really secure?
Is there an how-to on php as cgi? So i can make suexec run on it.
/Steve
----- Original Message -----
From: "Chris Meadors" <cl...@hereintown.net>
To: <us...@httpd.apache.org>
Sent: Thursday, November 21, 2002 1:52 AM
Subject: Re: [users@httpd] Secureing web folders
> Steve wrote:
> > Hey,
> > Using apache web server running under user www and group www
> >
> > This make it so apache reads all files as user www and group www.
>
> Yep.
>
> > I was wondering how u would protect a user from writing a php file to
like
> > view the contents of like another users web files..
> >
> > Just say user1 has a
> >
> > ~/web/config.php (which he/her dose not want anyone else to see)
> >
> > Now user2 could write a php script to
> >
> > cat /home/user1/web/config.php (which therefor steal all his/her data)
> >
> > How would one stop this from happing?
>
> For CGI scripts you can use SuEXEC to cause the CGI scripts to run as
> the user, then revoke the globally readable permissions of the directory
> which contains the data.
>
> But since you mention PHP, which is usually included in the server
> mod_php, it won't work. One solution is to stick the SuEXEC and not use
> mod_php but run the .php files in CGI mode. Or go to Apache 2.0 and use
> the PerChild MPM. The PerChild MPM causes Apache root started process
> to fork for each user that needs content served under their own UID.
> The forked processes then change the user they are running under from
> root to the owner of the directory.
>
> This is great, but the PerChild MPM is still experimental in the current
> release of 2.0. I'm having trouble with it just hanging and refusing to
> respond to new connections after just about a minute of use. But what
> they need are more people experimenting with it. So if you have a test
> machine have a look at it, see if it works for you. I think it is a
> great solution with a lot of content moving from externally launched
> CGI, to built in modules.
>
> --
> Chris
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Secureing web folders
Posted by Chris Meadors <cl...@hereintown.net>.
Steve wrote:
> Hey,
> Using apache web server running under user www and group www
>
> This make it so apache reads all files as user www and group www.
Yep.
> I was wondering how u would protect a user from writing a php file to like
> view the contents of like another users web files..
>
> Just say user1 has a
>
> ~/web/config.php (which he/her dose not want anyone else to see)
>
> Now user2 could write a php script to
>
> cat /home/user1/web/config.php (which therefor steal all his/her data)
>
> How would one stop this from happing?
For CGI scripts you can use SuEXEC to cause the CGI scripts to run as
the user, then revoke the globally readable permissions of the directory
which contains the data.
But since you mention PHP, which is usually included in the server
mod_php, it won't work. One solution is to stick the SuEXEC and not use
mod_php but run the .php files in CGI mode. Or go to Apache 2.0 and use
the PerChild MPM. The PerChild MPM causes Apache root started process
to fork for each user that needs content served under their own UID.
The forked processes then change the user they are running under from
root to the owner of the directory.
This is great, but the PerChild MPM is still experimental in the current
release of 2.0. I'm having trouble with it just hanging and refusing to
respond to new connections after just about a minute of use. But what
they need are more people experimenting with it. So if you have a test
machine have a look at it, see if it works for you. I think it is a
great solution with a lot of content moving from externally launched
CGI, to built in modules.
--
Chris
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org