From owner-freebsd-isp Sat Aug 25 7:55:33 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mail4.txucom.net (mail4.txucom.net [207.70.175.17]) by hub.freebsd.org (Postfix) with SMTP id A3E0337B407 for ; Sat, 25 Aug 2001 07:55:29 -0700 (PDT) (envelope-from bob@buckhorn.net) Received: (qmail 21963 invoked from network); 25 Aug 2001 14:55:28 -0000 Received: from lfkn-adsl-dhcp-net1-159.txucom.net (HELO buckhorn.net) ([207.70.145.159]) (envelope-sender ) by mail4.txucom.net (qmail-ldap-1.03) with SMTP for ; 25 Aug 2001 14:55:28 -0000 Message-ID: <3B87BC66.680DABDF@buckhorn.net> Date: Sat, 25 Aug 2001 09:55:34 -0500 From: Bob Martin X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Clemens Hermann Cc: BSD-ISP Subject: Re: apache jail References: <20010825113754.A1025@homer.local> <3B87A920.91B65648@buckhorn.net> <20010825162224.A1051@homer.local> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Clemens Hermann wrote: --snip > I had a closer look, bothered google for the subject but did not find a > solution. One of my bigger conderns is that apache/php allows scripts to > dig around in my system as any shell-usr might do as well. There is no > need (at least if you can offer the perl interpreter etc. anyways) so I > would appreciate it a lot if no php/perl/etc-Script could leave what > apache defines as document-root. > Many ftp-servers offer this feature (chroot after login) which makes > much sense in my opinion but if you can bypass this with php and friends > it makes far less sense. This has been kicked around a lot over the years. If you chroot apache, then you either break SSI, or end up copying loads of stuff to the sandbox. If you modify permission, you end up with unmanagable group lists, and possible break other things as well. There just isn't a one size fits all solution. We've tried lots of solutions, and finally settled on this. The users directory is chown user:group, files are mode 644 (Traditional FBSD user==group). The only directory that has execute permissions is cgi-bin, and the user doesn't have write permissions to it. (owner webmaster:user, mode 755) That means the we have to put the [php] script in the cgi-bin for them. Right after we read it. If they want a binary in the cgi-bin, they have to furnish the code. All of this is enforced with chflags on the various directory structures. Also note that we don't grant shell access, and you can't change permissions with ftp. Once in a while, it's a real pain. And if you don't have a programmer laying around, it doesn't work. On the flip side, we have cought several malisious scripts, and more than a few that would have consumed large amounts of cpu and ram. http://www.apache.org/docs-2.0/misc/security_tips.html http://www.bignosebird.com/apache/a11.shtml http://www.devthreads.com/core/Languages/PHP/Scripts/Security_Systems/ Bob Martin -- But in our enthusiasm, we could not resist a radical overhaul of the system, in which all of its major weaknesses have been exposed, analyzed, and replaced with new weaknesses. -- Bruce Leverett, "Register Allocation in Optimizing Compilers" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message