[users@httpd] Proper config for suexec and maintain chroot'ed FTP?

[John Goggan <jg...@dcg.com>]

I recently went from Apache v1.x to v2.0.54.  Most things went fine, but I am 
having trouble finding the proper way to configure things for suexec support 
while still maintaining the filesystem the way I would like it.

As an example, say I host acmecorp.dom as a virtual host and they want to run 
their own CGI scripts.  Under Apache v1.x, I configured them as follows:

1. I used "User acme" and "Group acme" directives in the httpd.conf.
2. I had their DocumentRoot set to /home/acme/web.
3. Their CGI scripts were in /home/acme/web/cgi-bin.
4. I had them set up so that FTPd kept them chroot'ed to /home/acme.

This worked well.

I seem unable to find a way to do the same thing properly under Apache v2.0 
with suexec2's requirement that the files be in the docroot.  It does not use 
the docroot of the virtual host -- but uses the default/main docroot of /var/www.

I tried doing a symlink from /var/www/acme to /home/acme/web, but suexec2 
still considers the final script to be in /home/acme/web/cgi-bin (not 
/var/www/acme/cgi-bin) and therefore considers it "not in docroot."

I could move acme's entire web directory to /var/www/acme, of course, and then 
suexec would be happy -- but then it makes it more difficult to chroot them to 
their home directory via FTP and such -- so I end up with permission errors on 
the other side.

Is there a way to do this properly and make it work -- leaving the actual 
files in their home directory?

A couple notes:

1. I do this for multiple virtual hosts with different accounts -- so I 
couldn't find a way to override suexec's docroot for each one individually.

2. I don't want these to be ~acme type sites, so I don't think suexec's "user 
home directory" support will do what I want, right?

Thanks for thoughts/suggestions/tips/solutions!  :)

  - John Goggan


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Proper config for suexec and maintain chroot'ed FTP?

[Joshua Slive <js...@gmail.com>]

On 11/9/05, John Goggan <jg...@dcg.com> wrote:

> However, suexec still checks that the file is owned by the user trying to run
> it, correct?  Therefore, is doing a document root of /home (or even / and
> ignoring the doc root check for that matter) that insecure/dangerous if it
> only allows people to run things that they already own?

If the only thing under /home are files normally seen from the web,
then it isn't a big deal.  But if there are other executables under
there, then you open up a signficant danger if anyone ever compromises
the userid under which you run apache.  It doesn't instantly make your
system vulnerable -- it just removes one layer of protection.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Proper config for suexec and maintain chroot'ed FTP?

[John Goggan <jg...@dcg.com>]

Joshua Slive wrote:
> This has not changed between 1.3 and 2.0.  suexec always requires all
> non-userdir files to be under a compile-time configured document root.
>  It must just be that the docrot you had configured for 1.3 contained
> all the directories.  You can recompile suexec to set its docroot to
> /home.  But of course, this is dangerous because it means suexec can
> execute anything under that directory.

Thanks for the info.  In the past, I must have recompiled suexec with a 
docroot of /home.  :(  Ok -- a quick check of my old binary from a backup 
confirms that.  So -- there really isn't a way to make this work as I'd like 
in a more proper way then, is there?

However, suexec still checks that the file is owned by the user trying to run 
it, correct?  Therefore, is doing a document root of /home (or even / and 
ignoring the doc root check for that matter) that insecure/dangerous if it 
only allows people to run things that they already own?  I realize it isn't 
perfect -- but it seems it would solve my problem and not be a large risk to 
allow users to execute files that they own.  Since they could execute whatever 
was in /var/www/* if it was done the "proper" way, am I changing things much 
to allow them to execute a file they own anywhere else on the filesystem?  Or 
am I missing something obvious?

All that being said, what do other people do that do virtual hosting for 
clients?  Do they keep individual client directories under /var/www/ then? 
And, if so, how do they give FTP access to those files?  Just chroot them to 
that directory all the time instead of their home directory?  Or maybe MAKE 
that their home directory?  We have people that have web space and other files 
in their home directories -- which is why I was trying to do it my way -- so 
that I could keep them jailed to their home directories for FTP...

Thanks again.

  - John...

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Proper config for suexec and maintain chroot'ed FTP?

[Joshua Slive <js...@gmail.com>]

On 11/9/05, John Goggan <jg...@dcg.com> wrote:

> I seem unable to find a way to do the same thing properly under Apache v2.0
> with suexec2's requirement that the files be in the docroot.  It does not use
> the docroot of the virtual host -- but uses the default/main docroot of /var/www.

This has not changed between 1.3 and 2.0.  suexec always requires all
non-userdir files to be under a compile-time configured document root.
 It must just be that the docrot you had configured for 1.3 contained
all the directories.  You can recompile suexec to set its docroot to
/home.  But of course, this is dangerous because it means suexec can
execute anything under that directory.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org