Date: Sun, 10 Nov 2002 17:03:55 -0500 From: Lee Nelson <jld123@pobox.com> To: freebsd-questions@FreeBSD.ORG Subject: Re: Permissions & user/group scheme for webserver? Message-ID: <FEJIZV3XJDA1XV53RMDB4X1V97D974.3dced7cb@lee> In-Reply-To: <p05111701b9f47039c0a8@[192.168.0.3]>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an excellent question, and it's also an enduring problem. It's easy enough to make all files owned by user:nobody, but the problem is that CGI's executing as nobody can go off and read other peoples files! To counter this, I run all CGI's as suid the user. But this requires Apache's suexec code, which is difficult to get working properly, since the Apache folks disapprove and have placed so many restrictions on it. Of course you run the risk of an insecure CGI allowing an attacker to place files in your web tree, or plant trojan binaries. Buy hey, just don't write insecure CGI's! :) I'd love to hear if anyone knows a way to restrict a CGI's access to a particular sub-tree. The suexec stuff really is a pain, and more of risk than I really like to take. -Lee 11/10/02 3:21:23 PM, Johannes Angeldorff <johannes@smartnet.se> wrote: >Dear FreeBSD:ers! > >We are converting an old Windows web server to a new FreeBSD 4.6 >webserver with apache and PHP. > >I could really need some help/tips for securing the server for each user... > >I want users to be able to FTP in their files to their home >directories, and I want the web server to be able to read and execute >all users' files... But I _don't_ want users to be able to read each >others' files (since they may include for example passwords for MySQL >databases). And of course, the users should not be able to read other >files on the machine, like /etc/master.passwd. > >Simply: I want users to only FTP in their own directories, and the >web server to be able to read it all... > >Has anyone a good scheme how to set up user and groups - with >suitable permissions - for the webserver, FTP and the users' home >dirs? > >Very grateful for all help on this matter! > >Sincerely, >Smartnet Sverige AB > >Johannes Angeldorff > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FEJIZV3XJDA1XV53RMDB4X1V97D974.3dced7cb>