You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by John Goggan <jg...@dcg.com> on 2005/11/09 15:09:42 UTC
[users@httpd] Proper config for suexec and maintain chroot'ed FTP?
I recently went from Apache v1.x to v2.0.54. Most things went fine, but I am
having trouble finding the proper way to configure things for suexec support
while still maintaining the filesystem the way I would like it.
As an example, say I host acmecorp.dom as a virtual host and they want to run
their own CGI scripts. Under Apache v1.x, I configured them as follows:
1. I used "User acme" and "Group acme" directives in the httpd.conf.
2. I had their DocumentRoot set to /home/acme/web.
3. Their CGI scripts were in /home/acme/web/cgi-bin.
4. I had them set up so that FTPd kept them chroot'ed to /home/acme.
This worked well.
I seem unable to find a way to do the same thing properly under Apache v2.0
with suexec2's requirement that the files be in the docroot. It does not use
the docroot of the virtual host -- but uses the default/main docroot of /var/www.
I tried doing a symlink from /var/www/acme to /home/acme/web, but suexec2
still considers the final script to be in /home/acme/web/cgi-bin (not
/var/www/acme/cgi-bin) and therefore considers it "not in docroot."
I could move acme's entire web directory to /var/www/acme, of course, and then
suexec would be happy -- but then it makes it more difficult to chroot them to
their home directory via FTP and such -- so I end up with permission errors on
the other side.
Is there a way to do this properly and make it work -- leaving the actual
files in their home directory?
A couple notes:
1. I do this for multiple virtual hosts with different accounts -- so I
couldn't find a way to override suexec's docroot for each one individually.
2. I don't want these to be ~acme type sites, so I don't think suexec's "user
home directory" support will do what I want, right?
Thanks for thoughts/suggestions/tips/solutions! :)
- John Goggan
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Proper config for suexec and maintain chroot'ed FTP?
Posted by Joshua Slive <js...@gmail.com>.
On 11/9/05, John Goggan <jg...@dcg.com> wrote:
> However, suexec still checks that the file is owned by the user trying to run
> it, correct? Therefore, is doing a document root of /home (or even / and
> ignoring the doc root check for that matter) that insecure/dangerous if it
> only allows people to run things that they already own?
If the only thing under /home are files normally seen from the web,
then it isn't a big deal. But if there are other executables under
there, then you open up a signficant danger if anyone ever compromises
the userid under which you run apache. It doesn't instantly make your
system vulnerable -- it just removes one layer of protection.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Proper config for suexec and maintain chroot'ed
FTP?
Posted by John Goggan <jg...@dcg.com>.
Joshua Slive wrote:
> This has not changed between 1.3 and 2.0. suexec always requires all
> non-userdir files to be under a compile-time configured document root.
> It must just be that the docrot you had configured for 1.3 contained
> all the directories. You can recompile suexec to set its docroot to
> /home. But of course, this is dangerous because it means suexec can
> execute anything under that directory.
Thanks for the info. In the past, I must have recompiled suexec with a
docroot of /home. :( Ok -- a quick check of my old binary from a backup
confirms that. So -- there really isn't a way to make this work as I'd like
in a more proper way then, is there?
However, suexec still checks that the file is owned by the user trying to run
it, correct? Therefore, is doing a document root of /home (or even / and
ignoring the doc root check for that matter) that insecure/dangerous if it
only allows people to run things that they already own? I realize it isn't
perfect -- but it seems it would solve my problem and not be a large risk to
allow users to execute files that they own. Since they could execute whatever
was in /var/www/* if it was done the "proper" way, am I changing things much
to allow them to execute a file they own anywhere else on the filesystem? Or
am I missing something obvious?
All that being said, what do other people do that do virtual hosting for
clients? Do they keep individual client directories under /var/www/ then?
And, if so, how do they give FTP access to those files? Just chroot them to
that directory all the time instead of their home directory? Or maybe MAKE
that their home directory? We have people that have web space and other files
in their home directories -- which is why I was trying to do it my way -- so
that I could keep them jailed to their home directories for FTP...
Thanks again.
- John...
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Proper config for suexec and maintain chroot'ed FTP?
Posted by Joshua Slive <js...@gmail.com>.
On 11/9/05, John Goggan <jg...@dcg.com> wrote:
> I seem unable to find a way to do the same thing properly under Apache v2.0
> with suexec2's requirement that the files be in the docroot. It does not use
> the docroot of the virtual host -- but uses the default/main docroot of /var/www.
This has not changed between 1.3 and 2.0. suexec always requires all
non-userdir files to be under a compile-time configured document root.
It must just be that the docrot you had configured for 1.3 contained
all the directories. You can recompile suexec to set its docroot to
/home. But of course, this is dangerous because it means suexec can
execute anything under that directory.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org