Bo, they can'tFTP server controls the access by its own users list. The users can access to their directory, and just their directory. They can't go out their site. But FTP isn't the problem. These users share the uid of a real user of the system, this user is the owner of the domain and the files in this domain.
For suexec, Apache serves subdomains with this user as User in httpd.cnfI want to know if there is any way to avoid that CGI programs could access files in server, that is: a way to restrict the access of cgi scripts inside the home of a subdomain, like php does.
Thanks----- Original Message ----- From: "Tim Burden" <tim@xxxxxxxxx>
To: <users@xxxxxxxxxxxxxxxx> Sent: Saturday, April 09, 2005 6:18 PM Subject: Re: [users@httpd] Security APACHE, PHP and CGI
If they are all owned by one account, couldn't owners of one subdomain justFTP in and erase the files of some other owner?----- Original Message ----- From: "Gare" <gare@xxxxxxxxxx>To: <users@xxxxxxxxxxxxxxxx> Sent: Saturday, April 09, 2005 12:04 PM Subject: [users@httpd] Security APACHE, PHP and CGIWe have a site with several subdomains hosted, but the webmasters of thesesubdomains are not allowed to use their own CGI nor PHP. The box runs under Fedora with Apache 1.3, and webmasters of subdomainsarenot users of the OS, they share the account of a user (the owner of themaindomain where subdomains are hosted). I would like to offer php and cgi support, but I am worried aboutsecurity.I know that PHP can be configured in secure mofe and that we can control access to directories. But CGI is too powerful, and a CGI program can access a lot of files intheserver. suExec is not a solution, because webmasters could access files in other subdomains (they share the same account). Is there any solution to host subdomains with php and cgi withoutcompromiseserver and subdomains security? thanks ---------------------------------------------------------------------The official User-To-User support forum of the Apache HTTP Server Project.See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|