From owner-freebsd-questions  Wed Mar 20  0:46: 0 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from i-sp.com (mail.i-sp.com [194.163.14.12])
	by hub.freebsd.org (Postfix) with SMTP id 2154037B41A
	for <freebsd-questions@FreeBSD.ORG>; Wed, 20 Mar 2002 00:45:50 -0800 (PST)
Received: (qmail 21151 invoked from network); 20 Mar 2002 08:38:53 -0000
Received: from proxy.i-sp.com (HELO ispxx) (194.163.14.99)
  by 194.163.14.12 with SMTP; 20 Mar 2002 08:38:53 -0000
From: "Roland Dworschak" <roland.dworschak@i-sp.at>
To: <freebsd-questions@FreeBSD.ORG>
Subject: RE: Limit PERL opening file in a directory / PHP
Date: Wed, 20 Mar 2002 09:38:14 +0100
Message-ID: <IEEPKGPKMPPMPLMFAGHAOEGHCAAA.roland.dworschak@i-sp.at>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
In-Reply-To: <Pine.BSF.4.43.0203181931500.59799-100000@BigKing.sinp.msu.ru>
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Importance: Normal
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hi,

I was just wondering if there's something like SuEXEC for PHP.

	<roland
--
Internet & System Products
Roland Dworschak
Netzadministration
Ignaz Rieder Kai 13
A-5020 Salzburg

Phone: +43 662 633434 11
Fax: +43 662 633434 14

eMail: roland.dworschak@i-sp.at
Web: http://www.i-sp.com

-----Original Message-----
Subject: Re: Limit PERL opening file in a directory.

Hi

On Tue, 19 Mar 2002, Richard wrote:

> I have a few virtual sites in my server. There is a security risk
> that these users are able to open files that are not in his/her
> directory by using PERL scripts because most of the system files
> are set as everyone read.
>
> Now, I just made it work that the user can not open a file out
> of his/her directory with PHP by adding php_admin_value open_basedir
'directory'
> into apache configuration file.
>
> I want to implement the same limitation with PERL.
> Also, I want to block some functions in PERL, such as system().
>
> Is there any suggestion? Thank you.
You shold better set propper permissions on files and directories.
Apache's suExec is very handy if you need to restrict cgi script's
permisions.

chmod 750 /home/site1
chown -R site1:wwwguest /home/site1

chmod 750 /home/site2
chown -R site2:wwwguest /home/site2

in httpd.conf:
===
User wwwguest
Group wwwguest

<VirtualHost site1_ip>
  User site1
  Group site1
</VirtualHost>

<VirtualHost site2_ip>
  User site1
  Group site1
</VirtualHost>
===

So Apache will run as wwwguest and has the access to users files (readonly),
but users script are run as their own uid/gid (cause SuExec does it), so
they
can't access another user's directory.

--
Dmitry A. Mottl
Network Administrator
      Skobeltsyn's Institute of Nuclear Physics
      Moscow State Unversity


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message