Date: Mon, 20 Aug 2001 00:13:30 -0400 From: "Dave" <dave@nexusinternetsolutions.net> To: <freebsd-isp@FreeBSD.ORG> Subject: security check - virtual host and mod php Message-ID: <DBEIKNMKGOBGNDHAAKGNIEFOHNAA.dave@nexusinternetsolutions.net>
next in thread | raw e-mail | index | archive | help
posted here in relation to ISP type implementation. please hack apart this solution and point out the error/insecure nature of the setup. goal, provide php(and other scripts) access to name based virtual hosts on FreeBSD boxes problem, security of PHP access to base system and other user scripts, using PHP to browser other directories on server, retrieve database names and passwords stored within scripts and such from items that must be readable by the httpd server solution, apache compiled with suexec # set user and group to unique chown USERID:USERID /path/to/user/html/directory # no public access to any files under here that # you don't want public reading, like scripts # with database login information in them chmod -R 0750 /path/to/user/html/directory # set group sticky execution... we will run # apache as this unique group so may not be needed chmod -R g+s /path/to/user/html/directory >in apache's httpd.conf # set each virtual host to run any accesses # as the group USERID giving them only access # to this directory... defeats PHP directory # and shell scripts as long as no public read bits # are set <virtual *> ServerName whatever.com Group USERID </virtual> Sufficient? you end up with http://test1.com and http://test2.com being unable to create PHP scripts or do listings of any other virtual user directory since they are not of the same group, but accesses to the site are made by invoking apache as that group for that session. directory tree drwxr-s--- 2 user1 user1 512 Aug 19 18:23 vtest1 drwxr-s--- 2 user2 user2 512 Aug 19 18:26 vtest2 with directory groups set in the httpd.conf for user1 in vtest1 and user2 in vtest2, neither user should be able to use PHP filesystem functions to browse the other directories as long as no public bits are set, and apache server requests still server the documents from the directories since each users directory has an Group user1 (or user2) set for his directory in the directory or virtual container, thus executing the apache requsts as the appropriate user and not the generic www user. Please feel free to point out any errors in my logic... it appears pretty solid from here. Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DBEIKNMKGOBGNDHAAKGNIEFOHNAA.dave>