Re: [users@httpd] Security APACHE, PHP and CGI

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

That's why I'm looking for a solution, an easy and affordable solution. Of course my subdomains with a share user can't use php nor cgi. Then if a cgi program can access all over the server (files like /etc/passwd ), how do enterprise that provide shared hosting with cgi/php/mysql support? Even if I create a system user for every subdomain webserver, CGI could access important files in the server (/etc/shadow or /etc/passwd ... ), or perhaps could mod_security avoid this action?
O perhaps the opnly solution is a VPS, but I prefer something more simple ... and cheaper. 

Thanks
----- Original Message ----- From: "Joshua Slive" <jslive@xxxxxxxxx> 
To: <users@xxxxxxxxxxxxxxxx>
Sent: Saturday, April 09, 2005 7:59 PM
Subject: Re: [users@httpd] Security APACHE, PHP and CGI



On Apr 9, 2005 12:53 PM, Gare <gare@xxxxxxxxxx> wrote:

Bo, they can't
FTP server controls the access by its own users list. The users can access to their directory, and just their directory. They can't go out their site. 
But FTP isn't the problem.
These users share the uid of a real user of the system, this user is the
owner of the domain and the files in this domain.
For suexec, Apache serves subdomains with this user as User in httpd.cnf
I want to know if there is any way to avoid that CGI programs could access files in server, that is: a way to restrict the access of cgi scripts inside 
the home of a subdomain, like php does.


No, not that I know of.  CGI allows people to run arbitrary programs
on the server.  If you let them all run under the same userid, then
there is no way to use unix permissions to restrict their activities.
Overall, it doesn't sound like a good idea to me.  It is like giving
them all telnet access with the same userid and password.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx






---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux