You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Gary Smith <ga...@primeexalia.com> on 2004/03/11 00:02:41 UTC
[users@httpd] Apache 1.3 or 2.0 configuration question
Hello,
We have multiple sites that run on the same box with apache 1.3.28. The sites are running as virtual hosts using a set of shared IP's. We have a common directory structure for these sites /usr/home/sitename/www that has all of the content in it. The problem is that the directories have 755 set on them. Some of the more creative users have found a way to read the content of the other sites by traversing the filesystem. So we implemented the basedir in PHP which has helped. So the users has telneted into the box and can traverse the files as a normal user (755). This user has since been booted...
As these sites are configured with a common set of directory structures /usr/home/somesite/www/catalog/config/mypasswordfile.php it is easy for them to guess what the path for somesite2 would be.
What is the best way to protect the content of the virtual host directory, allowing only the user or apache to read the file. I was think about the user/group directive user 1.3.x for each virtual host and then specifiying username / users as the access level then running a chmod 700 on the directories. My readings leave me to believe that under 1.3.x this directive only works for CGI's.
If I'm going to recompile everything then I can also look at using 2.0.x for this.
Is there a good way to do this? How do other ISP's enfoce this?
TIA,
Gary Smith
Re: [users@httpd] Apache 1.3 or 2.0 configuration question
Posted by Aaron W Morris <aa...@mindspring.com>.
Gary Smith wrote:
> Hello,
>
> We have multiple sites that run on the same box with apache 1.3.28. The sites are running as virtual hosts using a set of shared IP's. We have a common directory structure for these sites /usr/home/sitename/www that has all of the content in it. The problem is that the directories have 755 set on them. Some of the more creative users have found a way to read the content of the other sites by traversing the filesystem. So we implemented the basedir in PHP which has helped. So the users has telneted into the box and can traverse the files as a normal user (755). This user has since been booted...
>
> As these sites are configured with a common set of directory structures /usr/home/somesite/www/catalog/config/mypasswordfile.php it is easy for them to guess what the path for somesite2 would be.
>
> What is the best way to protect the content of the virtual host directory, allowing only the user or apache to read the file. I was think about the user/group directive user 1.3.x for each virtual host and then specifiying username / users as the access level then running a chmod 700 on the directories. My readings leave me to believe that under 1.3.x this directive only works for CGI's.
>
> If I'm going to recompile everything then I can also look at using 2.0.x for this.
>
> Is there a good way to do this? How do other ISP's enfoce this?
>
> TIA,
>
> Gary Smith
>
>
>
Use the <Directory> directive within each vhost to only allow access to
the vhost's own document root.
--
Aaron W Morris <aa...@mindspring.com> (decep)
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org