Date: Sat, 25 Aug 2001 09:55:34 -0500 From: Bob Martin <bob@buckhorn.net> To: Clemens Hermann <haribeau@gmx.de> Cc: BSD-ISP <freebsd-isp@FreeBSD.org> Subject: Re: apache jail Message-ID: <3B87BC66.680DABDF@buckhorn.net> References: <20010825113754.A1025@homer.local> <3B87A920.91B65648@buckhorn.net> <20010825162224.A1051@homer.local>
next in thread | previous in thread | raw e-mail | index | archive | help
Clemens Hermann wrote: --snip > I had a closer look, bothered google for the subject but did not find a > solution. One of my bigger conderns is that apache/php allows scripts to > dig around in my system as any shell-usr might do as well. There is no > need (at least if you can offer the perl interpreter etc. anyways) so I > would appreciate it a lot if no php/perl/etc-Script could leave what > apache defines as document-root. > Many ftp-servers offer this feature (chroot after login) which makes > much sense in my opinion but if you can bypass this with php and friends > it makes far less sense. This has been kicked around a lot over the years. If you chroot apache, then you either break SSI, or end up copying loads of stuff to the sandbox. If you modify permission, you end up with unmanagable group lists, and possible break other things as well. There just isn't a one size fits all solution. We've tried lots of solutions, and finally settled on this. The users directory is chown user:group, files are mode 644 (Traditional FBSD user==group). The only directory that has execute permissions is cgi-bin, and the user doesn't have write permissions to it. (owner webmaster:user, mode 755) That means the we have to put the [php] script in the cgi-bin for them. Right after we read it. If they want a binary in the cgi-bin, they have to furnish the code. All of this is enforced with chflags on the various directory structures. Also note that we don't grant shell access, and you can't change permissions with ftp. <grin> Once in a while, it's a real pain. And if you don't have a programmer laying around, it doesn't work. On the flip side, we have cought several malisious scripts, and more than a few that would have consumed large amounts of cpu and ram. http://www.apache.org/docs-2.0/misc/security_tips.html http://www.bignosebird.com/apache/a11.shtml http://www.devthreads.com/core/Languages/PHP/Scripts/Security_Systems/ Bob Martin -- But in our enthusiasm, we could not resist a radical overhaul of the system, in which all of its major weaknesses have been exposed, analyzed, and replaced with new weaknesses. -- Bruce Leverett, "Register Allocation in Optimizing Compilers" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B87BC66.680DABDF>