From owner-freebsd-questions@FreeBSD.ORG Thu Apr 29 10:13:17 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 144E516A4CE for ; Thu, 29 Apr 2004 10:13:17 -0700 (PDT) Received: from mail03.talkactive.net (mail03.talkactive.net [81.19.252.192]) by mx1.FreeBSD.org (Postfix) with SMTP id 4744F43D54 for ; Thu, 29 Apr 2004 10:13:16 -0700 (PDT) (envelope-from mikkel@talkactive.net) Received: (qmail 44433 invoked from network); 29 Apr 2004 17:13:13 -0000 Received: from unknown (HELO ?10.0.0.2?) (212.242.170.199) by mail03.talkactive.net with SMTP; 29 Apr 2004 17:13:13 -0000 From: Mikkel Christensen Organization: Talk|Active To: freebsd-questions@freebsd.org Date: Thu, 29 Apr 2004 17:13:13 +0000 User-Agent: KMail/1.6.1 References: <200404262126.36157.mikkel@talkactive.net> <200404291406.58150.mikkel@talkactive.net> <6.0.0.22.0.20040429101444.0e68a6a0@pop.face2interface.com> In-Reply-To: <6.0.0.22.0.20040429101444.0e68a6a0@pop.face2interface.com> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: <200404291713.13999.mikkel@talkactive.net> Subject: Re: Suexec with Apache 1.3.29 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Apr 2004 17:13:17 -0000 On Thursday 29 April 2004 14:22, Marty Landman wrote: > At 10:06 AM 4/29/2004, Mikkel Christensen wrote: >=20 > >This seems extremely strange to me. >=20 > Why is it strange? The reason I kept trying to install suexec was because= =20 > until I did, the development environment I set up on my LAN could mirror= =20 > that on my real sites with the exception that all the files & directories= =20 > had to be given 777 or equivalent permissions. Otherwise with the user=20 > running my cgi's being nobody aka www or httpd files couldn't be written= =20 > to, created, deleted etc.. With the types of web apps I write this was=20 > becoming not only a royal pain, also a constant reminder to me that my=20 > local environment was as insecure as it could be; of course it's strictly= =20 > local so not a problem. Okay, I can see your point. But, I still find it annoying that suexec wont execute a script that is own= ed by a particular user if another user has group rights to the script. Eg I would like execution to be run under user1, both the User end Group. My idea is that if the file is owned by user1 and the file's group is www i= t would give more possibilities to the user for denying other users access. Eg. the user (user1) could deny other regular users on the server access by= s=E6tting chmod xx0. He could allow the webserver to read his files with chmod x4x and the give = execution, read and write rights to himself with chmod 7xx. Now he has to give the webserver the same rights as everybody else on the s= erver. This is a problem if he stores passwords in a php-script. Apache wil= l interpret it and therefore not let anyone se the source while other users= can read the content as they please. This seems to be more unsecure, or am I wrong? I get the idea that if other group members have access to the file they cou= ld potentially write their own content. Bus usually the group doen's have w= rite access to files. And also, no users are members of the www group by de= fault. >=20 > >But following theese rules it works as it should. >=20 > With suexec running, a cgi gets set to 744 or 700 instead of 755; a data= =20 > file e.g. log or count file gets 644 or 600 instead of 666. It's amazing = to=20 > me that more vandalism and cross site scripting doesn't occur given the=20 > servers that still don't run suexec, or the users that aren't hip to usin= g=20 > it properly for setting permissions when the server does support it. >=20 Can't argue with that:) =2D Mikkel