From owner-freebsd-questions  Mon Mar 18  8:42:36 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from SRDMAIL.SINP.MSU.RU (bigking.sinp.msu.ru [213.131.9.130])
	by hub.freebsd.org (Postfix) with ESMTP id 7463B37B417
	for <freebsd-questions@freebsd.org>; Mon, 18 Mar 2002 08:42:29 -0800 (PST)
Received: from dima (helo=localhost)
	by SRDMAIL.SINP.MSU.RU with local-esmtp (Exim 3.34 #1)
	id 16n0EN-000GuQ-00; Mon, 18 Mar 2002 19:43:31 +0300
Date: Mon, 18 Mar 2002 19:43:31 +0300 (MSK)
From: Dmitry Mottl <dima@BigKing.sinp.msu.ru>
To: Richard <guyuan@telpacific.com.au>
Cc: "freebsd-questions@FreeBSD.ORG" <freebsd-questions@FreeBSD.ORG>
Subject: Re: Limit PERL opening file in a directory.
In-Reply-To: <200203181625.g2IGP9E01396@mail2.tpgi.com.au>
Message-ID: <Pine.BSF.4.43.0203181931500.59799-100000@BigKing.sinp.msu.ru>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hi

On Tue, 19 Mar 2002, Richard wrote:

> I have a few virtual sites in my server. There is a security risk
> that these users are able to open files that are not in his/her
> directory by using PERL scripts because most of the system files
> are set as everyone read.
>
> Now, I just made it work that the user can not open a file out
> of his/her directory with PHP by adding php_admin_value open_basedir 'directory'
> into apache configuration file.
>
> I want to implement the same limitation with PERL.
> Also, I want to block some functions in PERL, such as system().
>
> Is there any suggestion? Thank you.
You shold better set propper permissions on files and directories.
Apache's suExec is very handy if you need to restrict cgi script's
permisions.

chmod 750 /home/site1
chown -R site1:wwwguest /home/site1

chmod 750 /home/site2
chown -R site2:wwwguest /home/site2

in httpd.conf:
===
User wwwguest
Group wwwguest

<VirtualHost site1_ip>
  User site1
  Group site1
</VirtualHost>

<VirtualHost site2_ip>
  User site1
  Group site1
</VirtualHost>
===

So Apache will run as wwwguest and has the access to users files (readonly),
but users script are run as their own uid/gid (cause SuExec does it), so they
can't access another user's directory.

--
Dmitry A. Mottl
Network Administrator
      Skobeltsyn's Institute of Nuclear Physics
      Moscow State Unversity


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message