Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 20 Mar 2002 09:38:14 +0100
From:      "Roland Dworschak" <roland.dworschak@i-sp.at>
To:        <freebsd-questions@FreeBSD.ORG>
Subject:   RE: Limit PERL opening file in a directory / PHP
Message-ID:  <IEEPKGPKMPPMPLMFAGHAOEGHCAAA.roland.dworschak@i-sp.at>
In-Reply-To: <Pine.BSF.4.43.0203181931500.59799-100000@BigKing.sinp.msu.ru>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi,

I was just wondering if there's something like SuEXEC for PHP.

	<roland
--
Internet & System Products
Roland Dworschak
Netzadministration
Ignaz Rieder Kai 13
A-5020 Salzburg

Phone: +43 662 633434 11
Fax: +43 662 633434 14

eMail: roland.dworschak@i-sp.at
Web: http://www.i-sp.com

-----Original Message-----
Subject: Re: Limit PERL opening file in a directory.

Hi

On Tue, 19 Mar 2002, Richard wrote:

> I have a few virtual sites in my server. There is a security risk
> that these users are able to open files that are not in his/her
> directory by using PERL scripts because most of the system files
> are set as everyone read.
>
> Now, I just made it work that the user can not open a file out
> of his/her directory with PHP by adding php_admin_value open_basedir
'directory'
> into apache configuration file.
>
> I want to implement the same limitation with PERL.
> Also, I want to block some functions in PERL, such as system().
>
> Is there any suggestion? Thank you.
You shold better set propper permissions on files and directories.
Apache's suExec is very handy if you need to restrict cgi script's
permisions.

chmod 750 /home/site1
chown -R site1:wwwguest /home/site1

chmod 750 /home/site2
chown -R site2:wwwguest /home/site2

in httpd.conf:
===
User wwwguest
Group wwwguest

<VirtualHost site1_ip>
  User site1
  Group site1
</VirtualHost>

<VirtualHost site2_ip>
  User site1
  Group site1
</VirtualHost>
===

So Apache will run as wwwguest and has the access to users files (readonly),
but users script are run as their own uid/gid (cause SuExec does it), so
they
can't access another user's directory.

--
Dmitry A. Mottl
Network Administrator
      Skobeltsyn's Institute of Nuclear Physics
      Moscow State Unversity


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?IEEPKGPKMPPMPLMFAGHAOEGHCAAA.roland.dworschak>