Re: suexec for another user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Phil Howard wrote:

I don't understand what it is you are doing, so I cannot comment on
whether it is common or not, or even secure.  A test to detect if
others can write a file that would be executed is a critical test on a
multi-user machine.  Similarly, testing if all parent directories can
be written by others is important, too (otherwise, someone could move
names around at some directory level to get their executable to be
used).


I am making a new system for midsize webhoster, so there are many users,
many sites for them and more levels of privileges than simple user and
root. It consists of 10+ virtual systems now and will grow as required
in the future, mainly with more worker systems using apache with this or
other kind of su.

I need to protect all the sites from themselves - have one unix uid for
upload and file management and another for actual run of the site.
Basicaly every site has these two plus there are priviledged master
accounts for some different groups of sites. I can secure that there is
simply no acces to any unprivilegeled some directory levels above site
code, every site structure is created by root and privileges+acls are
set on the lowest possible level.

Sftp requires for chroot, that target directory or anything above it is
writable by anyone except root, so everything above is well protected
and I want to fiddle at lowest level of the structure.

Is it better if I relax the tests to main group of that user? It would
mean that some users get listed in thousands of groups, which seems
worse to me.

If anyone knows about some usefull article I semm missed while googling,
that would enlighten me, I'd be thankful too. I is my job, but I try to
make the last piece sorted out the best possible way and eventualy, I
went here.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux