You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Vildan <vi...@origincode.com> on 2003/07/23 02:00:12 UTC
[users@httpd] Setting access for users - Apache, Win32
Hello,
I run Apache 2.0.47 on Windows 2000 Server platform with PHP support.
I have recently discovered that somebody created files outside their
home directory and put them in root folder c:\
My configuration is as follows:
- Multiple websites are hosted on the web server using virtual hosts
and domain name based configuration (not ip-based).
...
<Virtualhost website.com>
ServerAdmin webmaster@website.com
DocumentRoot c:\www\website\www
ServerName www.website.com
ErrorLog c:\www\website\log\error_log
TransferLog c:\www\website\log\access_log
</Virtualhost>
<Virtualhost website2.com>
ServerAdmin webmaster@website2.com
DocumentRoot c:\www\website2\www
ServerName www.website2.com
ErrorLog c:\www\website2\log\error_log
TransferLog c:\www\website2\log\access_log
</Virtualhost>
...
Those websites are stored in:
c:\www <--- DocumentRoot "C:/www"
So each website has it's own 'home' as for virtual hosts above:
c:\www\website\www
c:\www\website2\www
Currently, if some user uploads a executable script (PHP/CGI) into
his home directory (e.g. c:\www\website2\www), he is able e.g. to write
a file in c:\www\website\www or c:\ (root).
1.
How can I limit users and their executable scripts to be run/executed
only in their own 'home'
(e.g. c:\www\website\www) directory, and limit their access to their
DocumentRoot only ?
Best Regards,
- Vildan
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Setting access for users - Apache, Win32
Posted by Vildan Hasanbegovic <vi...@origincode.com>.
Users upload their files through the FTP.
But it's not either impossible for them to create 'upload-script'
with PHP or CGI and put in in their home, and execute it.
There is no protection against CGI scripts either. And yes, they
could execute anything.
suexec is a bit complicated process and need recompiling of the Apache
source.
Isn't there ant other way to stop users from executing/running
scripts/binaries outside their 'home' directory ?
Here's an exmaple (http://se2.php.net/manual/en/security.apache.php) of
locking the scripts to their VirtualHost-DocumentRoot-dirctories:
------------------------------------------------------
You can set open_basedir dynamically for every virtual host you have, so
every PHP script on a virtual host is jailed to its document root.
Example:
<VirtualHost www.example.com>
ServerName www.example.com
DocumentRoot /www-home/example.com
[...]
<Location />
php_admin_value open_basedir \ "/www-
home/example.com/:/usr/lib/php/"
</Location>
</VirtualHost>
If you set safe_mode on, then the script can only use binaries in given
directories (make a special dir only with the binaries your customers may
use).
Now no user of a virtual host can read/write/modify the data of another
user on your machine.
------------------------------------------------------
Isn't there any similar directive for Apache to limit user to their
'home' directory ?
Is possible to use .htaccess here for limitation ?
regards,
- Vildan
> How does your users upload files to the server?
> You do not have any protection against CGI scripts running on your
> server,
> it's like having your clients running .exe files on the system.
> What you can do is to add the users to the Windows 2000 itself and use
> suexec.
>
> All the best,
> Jeff Cohen
> Support@GEJ-IT.com
> Tel. (416) 917-2324
> www.GEJ-IT.com
> GEJ-IT Networks!
>
>
>
> > -----Original Message-----
> > From: Vildan [mailto:vildan@origincode.com]
> > Sent: Tuesday, July 22, 2003 8:00 PM
> > To: users@httpd.apache.org
> > Subject: [users@httpd] Setting access for users - Apache, Win32
> >
> > Hello,
> >
> >
> >
> > I run Apache 2.0.47 on Windows 2000 Server platform with PHP support.
> >
> > I have recently discovered that somebody created files outside their
> > home directory and put them in root folder c:\
> >
> > My configuration is as follows:
> >
> > - Multiple websites are hosted on the web server using virtual hosts
> > and domain name based configuration (not ip-based).
> >
> > ...
> >
> > <Virtualhost website.com>
> > ServerAdmin webmaster@website.com
> > DocumentRoot c:\www\website\www
> > ServerName www.website.com
> > ErrorLog c:\www\website\log\error_log
> > TransferLog c:\www\website\log\access_log
> > </Virtualhost>
> >
> > <Virtualhost website2.com>
> > ServerAdmin webmaster@website2.com
> > DocumentRoot c:\www\website2\www
> > ServerName www.website2.com
> > ErrorLog c:\www\website2\log\error_log
> > TransferLog c:\www\website2\log\access_log
> > </Virtualhost>
> >
> > ...
> >
> > Those websites are stored in:
> >
> > c:\www <--- DocumentRoot "C:/www"
> >
> >
> > So each website has it's own 'home' as for virtual hosts above:
> >
> > c:\www\website\www
> >
> > c:\www\website2\www
> >
> >
> > Currently, if some user uploads a executable script (PHP/CGI) into
> > his home directory (e.g. c:\www\website2\www), he is able e.g. to
> write
> > a file in c:\www\website\www or c:\ (root).
> >
> > 1.
> > How can I limit users and their executable scripts to be run/executed
> > only in their own 'home'
> > (e.g. c:\www\website\www) directory, and limit their access to their
> > DocumentRoot only ?
> >
> >
> > Best Regards,
> >
> > - Vildan
> >
> >
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Setting access for users - Apache, Win32
Posted by Jeff Cohen <su...@gej-it.com>.
How does your users upload files to the server?
You do not have any protection against CGI scripts running on your server,
it's like having your clients running .exe files on the system.
What you can do is to add the users to the Windows 2000 itself and use
suexec.
All the best,
Jeff Cohen
Support@GEJ-IT.com
Tel. (416) 917-2324
www.GEJ-IT.com
GEJ-IT Networks!
> -----Original Message-----
> From: Vildan [mailto:vildan@origincode.com]
> Sent: Tuesday, July 22, 2003 8:00 PM
> To: users@httpd.apache.org
> Subject: [users@httpd] Setting access for users - Apache, Win32
>
> Hello,
>
>
>
> I run Apache 2.0.47 on Windows 2000 Server platform with PHP support.
>
> I have recently discovered that somebody created files outside their
> home directory and put them in root folder c:\
>
> My configuration is as follows:
>
> - Multiple websites are hosted on the web server using virtual hosts
> and domain name based configuration (not ip-based).
>
> ...
>
> <Virtualhost website.com>
> ServerAdmin webmaster@website.com
> DocumentRoot c:\www\website\www
> ServerName www.website.com
> ErrorLog c:\www\website\log\error_log
> TransferLog c:\www\website\log\access_log
> </Virtualhost>
>
> <Virtualhost website2.com>
> ServerAdmin webmaster@website2.com
> DocumentRoot c:\www\website2\www
> ServerName www.website2.com
> ErrorLog c:\www\website2\log\error_log
> TransferLog c:\www\website2\log\access_log
> </Virtualhost>
>
> ...
>
> Those websites are stored in:
>
> c:\www <--- DocumentRoot "C:/www"
>
>
> So each website has it's own 'home' as for virtual hosts above:
>
> c:\www\website\www
>
> c:\www\website2\www
>
>
> Currently, if some user uploads a executable script (PHP/CGI) into
> his home directory (e.g. c:\www\website2\www), he is able e.g. to write
> a file in c:\www\website\www or c:\ (root).
>
> 1.
> How can I limit users and their executable scripts to be run/executed
> only in their own 'home'
> (e.g. c:\www\website\www) directory, and limit their access to their
> DocumentRoot only ?
>
>
> Best Regards,
>
> - Vildan
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org