Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

sucuring cg files access

0 views
Skip to first unread message

kevin kitenik

unread,
Dec 21, 2009, 8:43:16 AM12/21/09
to

Hi everybody,

What is the best and simplest way to have a multiple users and virtual hosts with apache
i mean, how can i prevent CGI-scripts of user A , read and/OR write , files owned by user B
(php5 with apach2 in mod_php5)
same thing appears with perl cgi ...

i also, see that it's possible for maliciuous user to see /etc/*conf files etc...


how to secure this 2 items.

i thanks you lot.

--
thanks a lot.

"Álvaro G. Vicario"

unread,
Dec 21, 2009, 10:48:34 AM12/21/09
to
El 21/12/2009 14:43, kevin kitenik escribió:
> What is the best and simplest way to have a multiple users and virtual hosts with apache
> i mean, how can i prevent CGI-scripts of user A , read and/OR write , files owned by user B
> (php5 with apach2 in mod_php5)
> same thing appears with perl cgi ...

You must be aware that mod_php is not CGI. If you run PHP as an Apache
module there's not much you can do beyond enabling PHP's safe mode. See
here for further reference:

http://es.php.net/safe%20mode

(Anyway, safe mode might do the trick for PHP.)


As about CGI, I haven't used it and I cannot tell you if it's suitable
but Apache supports suexec:

http://httpd.apache.org/docs/2.2/en/suexec.html

> i also, see that it's possible for maliciuous user to see /etc/*conf files etc...

Last but not least, you can chroot:

http://httpd.apache.org/docs/2.2/mod/mpm_common.html#chrootdir

However, it's not easy to configure.

--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--

HansH

unread,
Dec 21, 2009, 7:47:09 PM12/21/09
to
"kevin kitenik" <kit...@gmail.com> schreef in bericht
news:4b2f7b74$0$8926$426a...@news.free.fr...

> What is the best and simplest way to have a multiple users and virtual
> hosts with apache
> i mean, how can i prevent CGI-scripts of user A , read and/OR write ,
> files owned by user B
> (php5 with apach2 in mod_php5)
> same thing appears with perl cgi ...
>
> i also, see that it's possible for maliciuous user to see /etc/*conf files
> etc...
Try your luck with http://mpm-itk.sesse.net/
apache2-mpm-itk is an MPM for the Apache web server. mpm-itk allows you to
run each of your vhost under a separate uid and gid - in short, the scripts
and configuration files for one vhost no longer have to be readable for all
the other vhosts.

It's simple, not perfect.

HansH


Swifty

unread,
Dec 22, 2009, 4:06:17 AM12/22/09
to
kevin kitenik wrote:
> What is the best and simplest way to have a multiple users and virtual hosts with apache
> i mean, how can i prevent CGI-scripts of user A , read and/OR write , files owned by user B

The standard approach, part of apache, is to use suexec

With this, apache will su to the userid that owns the Virtual Host, so
that CGI can only run if it is accessible to the owner of the Vhost.
What is more, the CGI scripts can access only files that the owner has
access to.

This is the way that commercial hosts, which allow users to write their
own scripts, works.

--
Steve Swift
http://www.swiftys.org.uk/swifty.html
http://www.ringers.org.uk

kevin kitenik

unread,
Dec 22, 2009, 6:06:29 PM12/22/09
to
I thanks everybody for the answers.

i will try the suexec.

have a nice day.

--
thanks a lot.

0 new messages