From owner-freebsd-isp Tue Nov 12 20:35:24 2002 Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 80EAC37B404 for ; Tue, 12 Nov 2002 20:35:21 -0800 (PST) Received: from rhid.com (rhid.com [64.49.215.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F95C441F5 for ; Tue, 12 Nov 2002 20:32:32 -0800 (PST) (envelope-from jwp@rhid.com) Received: from mail.rhid.com (0-1pool215-117.nas32.tempe1.az.us.da.qwest.net [67.3.215.117]) by rhid.com (Postfix) with ESMTP id 3457F356F63 for ; Wed, 13 Nov 2002 04:31:24 +0000 (GMT) Received: by mail.rhid.com (Postfix, from userid 1000) id 6F52A2C94F; Tue, 12 Nov 2002 21:32:26 -0700 (MST) Date: Tue, 12 Nov 2002 21:32:26 -0700 From: James Pye To: FreeBSD ISP List Subject: Re: per-user groups Message-ID: <20021113043225.GA83041@void> Reply-To: jwp@rhid.com References: <20021105130922.A36056@cthulu.compt.com> <20021110214410.GA98103@users.munk.nu> <20021112085654.GA55722@blazingdot.com> <20021112201947.GA28569@users.munk.nu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="qDbXVdCdHGoSgWSk" Content-Disposition: inline In-Reply-To: <20021112201947.GA28569@users.munk.nu> User-Agent: Mutt/1.4i Organization: rhid development Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --qDbXVdCdHGoSgWSk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable greetings, suEXEC wrapper seems to solve the problem about running CGI scripts as the= www user. you can use the User and Group directives inside = with the suEXEC wrapper enabled. tho, wouldn't it be useful to spawn httpd processes serving a virtualhost'= s pages as the User and Group specified within ? suEXEC appare= ntly only affects cgi scripts.. perhaps i am missing something tho...(this = would solve the problem without placing the www user in the user's group) of course, there are security considerations involved with using suEXEC... http://httpd.apache.org/docs/suexec.html -james On 11/12/02:45/2, Jez Hancock wrote: > Date: Tue, 12 Nov 2002 20:19:47 +0000 > From: Jez Hancock > To: FreeBSD ISP List > Subject: Re: per-user groups >=20 > On Tue, Nov 12, 2002 at 12:56:54AM -0800, Marcus Reid wrote: > > Another way to do almost the same thing is to have the users home > > directory perms set to rwxr-x--x. Apache can get to the users public_ht= ml > > directory, and noone can get a directory listing of another persons home > > directory. Users still have to make sure that files they don't want to > > be world readable aren't world readable, but it's a solution that suits > > my tastes a little better. > This is how I had my system setup until a few days ago, the nice thing ab= out > it being if one user in a shell wants to let another user look at a file = they > can just say 'have a look at /home/myhome/file' and providing the perms on > 'file' are right, the other user can still see the file even though they > can't actually run a listing on the directory /home/myhome. >=20 > Obviously though this runs the risk of letting user's guess the location = of > important files in a shell (which was why I moved away from this setup) -= say by > attempting to read commonly used names for config files, ie: >=20 > 'cat /home/another/web/include/config.php' >=20 > Regarding what you say about user's being able to use the fact the 'www' = user is > in all user groups to write malicious scripts to read / traverse director= ies outside > their own home dir - I know you can setup PHP to stop this (using the ope= n_basedir > and safe_mode php.ini settings for example), but how do you do similar fo= r cgis? >=20 > Incidentally I'm having hassles getting that setup I suggested to work, i= t's totally > baffling. I'm sticking with the method you mention Marcus for now ;) >=20 > Regards, >=20 > Jez >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message --qDbXVdCdHGoSgWSk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE90dXZnbjJW1rXbm8RAuDgAJ4uxKfTqF60RCrxjI5KRk2wTkxKqQCgoN1O 7XPuvCttMP55h4HxP6lMF3M= =nL1L -----END PGP SIGNATURE----- --qDbXVdCdHGoSgWSk-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message