Re: How do I keep Virtural hosts from seeing the others document root?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

While the setup Jim decribes is similar to what I have setup, The issue still remains when a user uploads a PHPSHELL to there docment root and access the server through the uploaded shell they are no longer operating under the FTP user account. They are operating under the www-data account which is the account apachie operates in. By doing so when using the uploaded PHPSHELL you bypass the FTP and jail restrictions that prevent you from seeing other peoples document root and have access to all document roots on the system. Here is a PHPSHELL http://phpshell.sourceforge.net/ upload and configure it. give it a try it runs under the www-data account just like all other pages do.

This issue would allow your PHP files to be viewed. This can be an issue due to needing to have passwords in PHP scripts to access SOL databases etc..

This issue could be resolved by making each virtualhost run under a different account and jailing each account in a different jail.


----- Original Message -----
From: "Jim Walls" <jim@xxxxxxxxx>
To: users@xxxxxxxxxxxxxxxx
Sent: Monday, March 7, 2011 12:58:59 AM
Subject: Re: How do I keep Virtural hosts from seeing the others document root?

On 3/6/2011 2:43 PM, aaronrus@xxxxxxxxxxx wrote:
I have apache2 running virtual hosts. Ive fingered out how to jail a user that uploads files to the document root using jailkit and only allow SFTP access. What I have not fingered out is how to keep a user from reading other files on the system such as other virtual host document roots by uploading a phpshell which runs under the www-data user which is not jailed.

Maybe I'm not understanding the problem.  As I understand it, you dont want a user that has ftp access to one of your virtual hosts to be able to have read access to another of the virtual hosts.  What's the problem?  As I understand the question, this has everything to do with the security and setup of your ftp server and nothing to do with apache.  I have this very easily.  I use Bulletproof FTP server and I can easily allow a user ID whatever access and to whatever directories I want.  The two virtual servers have completely different document roots.  Let me give an example:

I have a virtual server that is xyz.org with a root of C:\Program Files\Apache Group\Apache2\htdocs\xyz.org
I have a second virtual server that is abc.info with a root of C:\Program Files\Apache Group\Apache2\htdocs\abc.info

In my ftp server, the user IDs that are there for access to xyz.org have no access above C:\Program Files\Apache Group\Apache2\htdocs\xyz.org and the user IDs that are there for access to abc.info have no access above C:\Program Files\Apache Group\Apache2\htdocs\abc.info

Did I just answer the question or am I completely missing the question?


-- 
73
-------------------------------------
Jim Walls - K6CCC
jim@xxxxxxxxx
Ofc:  818-548-4804
http://members.dslextreme.com/users/k6ccc/
AMSAT Member 32537 - WSWSS Member 395
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux