From owner-freebsd-isp Sun Aug 19 21:16:17 2001 Delivered-To: freebsd-isp@freebsd.org Received: from nexusinternetsolutions.net (nx1.nexusinternetsolutions.net [204.50.158.10]) by hub.freebsd.org (Postfix) with SMTP id CDBB437B408 for ; Sun, 19 Aug 2001 21:16:12 -0700 (PDT) (envelope-from dave@nexusinternetsolutions.net) Received: (qmail 91745 invoked from network); 20 Aug 2001 04:12:08 -0000 Received: from unknown (HELO WS1) (204.50.158.15) by nx1.nexusinternetsolutions.net with SMTP; 20 Aug 2001 04:12:08 -0000 From: "Dave" To: Subject: security check - virtual host and mod php Date: Mon, 20 Aug 2001 00:13:30 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org posted here in relation to ISP type implementation. please hack apart this solution and point out the error/insecure nature of the setup. goal, provide php(and other scripts) access to name based virtual hosts on FreeBSD boxes problem, security of PHP access to base system and other user scripts, using PHP to browser other directories on server, retrieve database names and passwords stored within scripts and such from items that must be readable by the httpd server solution, apache compiled with suexec # set user and group to unique chown USERID:USERID /path/to/user/html/directory # no public access to any files under here that # you don't want public reading, like scripts # with database login information in them chmod -R 0750 /path/to/user/html/directory # set group sticky execution... we will run # apache as this unique group so may not be needed chmod -R g+s /path/to/user/html/directory >in apache's httpd.conf # set each virtual host to run any accesses # as the group USERID giving them only access # to this directory... defeats PHP directory # and shell scripts as long as no public read bits # are set ServerName whatever.com Group USERID Sufficient? you end up with http://test1.com and http://test2.com being unable to create PHP scripts or do listings of any other virtual user directory since they are not of the same group, but accesses to the site are made by invoking apache as that group for that session. directory tree drwxr-s--- 2 user1 user1 512 Aug 19 18:23 vtest1 drwxr-s--- 2 user2 user2 512 Aug 19 18:26 vtest2 with directory groups set in the httpd.conf for user1 in vtest1 and user2 in vtest2, neither user should be able to use PHP filesystem functions to browse the other directories as long as no public bits are set, and apache server requests still server the documents from the directories since each users directory has an Group user1 (or user2) set for his directory in the directory or virtual container, thus executing the apache requsts as the appropriate user and not the generic www user. Please feel free to point out any errors in my logic... it appears pretty solid from here. Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message