From owner-freebsd-isp@FreeBSD.ORG Mon Feb 16 13:44:41 2004 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D59FF16A4CE for ; Mon, 16 Feb 2004 13:44:41 -0800 (PST) Received: from deluge.umist.ac.uk (deluge.umist.ac.uk [130.88.120.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8764A43D1F for ; Mon, 16 Feb 2004 13:44:41 -0800 (PST) (envelope-from lewiz@black.lewiz.org) Received: from lh014.halls.umist.ac.uk ([130.88.163.14] helo=yellow.lewiz.org) by deluge.umist.ac.uk with esmtp (Exim 4.24) id 1AsqXg-0005xn-9k; Mon, 16 Feb 2004 21:44:40 +0000 Received: from black.lewiz.org ([192.168.0.13]) by mail.lewiz.org with smtp (Exim 4.30; FreeBSD) id 1Asqa1-000JJP-3z; Mon, 16 Feb 2004 21:47:05 +0000 Received: (nullmailer pid 66056 invoked by uid 4001); Mon, 16 Feb 2004 21:44:38 -0000 Date: Mon, 16 Feb 2004 21:44:38 +0000 From: Lewis Thompson To: Shawn Mitchell Message-ID: <20040216214437.GC65551@lewiz.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="uZ3hkaAS1mZxFaxD" Content-Disposition: inline In-Reply-To: X-GPG-Fingerprint: 90A4 939E 3847 A3E4 8103 2A48 22DA B428 542F ED3F X-GPG-Info: http://www.lewiz.org/~lewiz/pgpkey / horowitz.surfnet.nl User-Agent: Mutt/1.5.6i X-MailScanner-Information: Please contact the ISP for more information X-MailScanner: Found to be clean cc: isp@freebsd.org Subject: Re: Apache and home directories (file browser). X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Feb 2004 21:44:41 -0000 --uZ3hkaAS1mZxFaxD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Feb 16, 2004 at 02:05:44PM -0600, Shawn Mitchell wrote: > Their going to be logging in via a web interface (via HTTPS). From > there they can upload files, delete, rename, etc, through their web > browser. Yes -- this is what I wanted :) > Since all the files will have to be owned by the web services user > (apache, wwwrun, nobody, whatever) so that the "legit" file management > software can write/read/etc them, any software installed by Joe User, > will have the same type of access. This is also the worry I had. I've currently got Apache setup with safe_mode enabled (but only for public_html dirs because I control the rest of the scripts). > Basically what he's asking, is how do you chroot VHOST's in apache. > So that one vhost, can not access another vhosts files. I think this is what I'm looking for, yes. Since I posted this I asked some questions on IRC and somebody mentioned that Apache can be chrooted to the uid of a script's owner (similar in a way to safe_mode in PHP). This would surely then allow files to be read/written by Apache in a secure fashion. My worry here is that Apache would have to be running as root to chroot -- can anybody confirm this for me? (Indeed, can anybody confirm that it is even possible to do this?) Thanks very much, -lewiz. --=20 I was so much older then, I'm younger than that now. --Bob Dylan, 1964. ------------------------------------------------------------------------ -| msn:purple@lewiz.net | jabber:lewiz@jabber.org | url:www.lewiz.org |- --uZ3hkaAS1mZxFaxD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAMTnFItq0KFQv7T8RAmRzAKDHiQoWD8KYBzU4Ad7EnWg3ZqOJSACfcIUM 8uDc8+grcZrOyo0UXsb/B8s= =DpC7 -----END PGP SIGNATURE----- --uZ3hkaAS1mZxFaxD--