Date: Mon, 18 Mar 2002 19:43:31 +0300 (MSK) From: Dmitry Mottl <dima@BigKing.sinp.msu.ru> To: Richard <guyuan@telpacific.com.au> Cc: "freebsd-questions@FreeBSD.ORG" <freebsd-questions@FreeBSD.ORG> Subject: Re: Limit PERL opening file in a directory. Message-ID: <Pine.BSF.4.43.0203181931500.59799-100000@BigKing.sinp.msu.ru> In-Reply-To: <200203181625.g2IGP9E01396@mail2.tpgi.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi
On Tue, 19 Mar 2002, Richard wrote:
> I have a few virtual sites in my server. There is a security risk
> that these users are able to open files that are not in his/her
> directory by using PERL scripts because most of the system files
> are set as everyone read.
>
> Now, I just made it work that the user can not open a file out
> of his/her directory with PHP by adding php_admin_value open_basedir 'directory'
> into apache configuration file.
>
> I want to implement the same limitation with PERL.
> Also, I want to block some functions in PERL, such as system().
>
> Is there any suggestion? Thank you.
You shold better set propper permissions on files and directories.
Apache's suExec is very handy if you need to restrict cgi script's
permisions.
chmod 750 /home/site1
chown -R site1:wwwguest /home/site1
chmod 750 /home/site2
chown -R site2:wwwguest /home/site2
in httpd.conf:
===
User wwwguest
Group wwwguest
<VirtualHost site1_ip>
User site1
Group site1
</VirtualHost>
<VirtualHost site2_ip>
User site1
Group site1
</VirtualHost>
===
So Apache will run as wwwguest and has the access to users files (readonly),
but users script are run as their own uid/gid (cause SuExec does it), so they
can't access another user's directory.
--
Dmitry A. Mottl
Network Administrator
Skobeltsyn's Institute of Nuclear Physics
Moscow State Unversity
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.43.0203181931500.59799-100000>