Date: Mon, 16 Feb 2004 14:05:44 -0600 From: "Shawn Mitchell" <shawnm@iodamedia.net> To: "Andy Dills" <andy@xecu.net>, "Lewis Thompson" <purple@lewiz.net> Cc: isp@freebsd.org Subject: RE: Apache and home directories (file browser). Message-ID: <HJEELFHCPNPOPDIOMAKBOEDJCDAA.shawnm@iodamedia.net> In-Reply-To: <Pine.BSF.4.44.0402161354460.38683-100000@thunder.xecu.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I don't think this was his original question was referring to. He's going to be using a scripting language number one. If it is php, perl, python, or whatever else, it doesn't matter. Their going to be logging in via a web interface (via HTTPS). From there they can upload files, delete, rename, etc, through their web browser. This is no problem, there's several packages out there that can do this. (I use one writing in PHP for internal stuff) But here's where the problem is... What happens when someone else loads up the same type of package. They can then go scrolling through everyone else's directories. Since all the files will have to be owned by the web services user (apache, wwwrun, nobody, whatever) so that the "legit" file management software can write/read/etc them, any software installed by Joe User, will have the same type of access. Basically what he's asking, is how do you chroot VHOST's in apache. So that one vhost, can not access another vhosts files. chrooting in ftp (I use PureFTP since it supports a MySQL auth backend, but you can use whatever). Using .htaccess files only keeps general browsing, same as index files. Just another quick example... /home/joe/access_list <--- Access list for Joe's .htaccess files /home/tim/public_html/file_add.php <-- Some script Tim has in his directory file_add.php contents... $user_to_add = "tim:crypt_password"; $handle = fopen($filename, 'a'); fwrite($handle, $user_to_add); fclose($handle); And wham, thanks to Apache's scripting security and great vhost support, tim now has whatever access to joe's website. Same thing if he reads a config file on a vhost server, and get's his database username/password info as well. -----Original Message----- From: owner-freebsd-isp@freebsd.org [mailto:owner-freebsd-isp@freebsd.org]On Behalf Of Andy Dills Sent: Monday, February 16, 2004 12:57 PM To: Lewis Thompson Cc: isp@freebsd.org Subject: Re: Apache and home directories (file browser). On Mon, 16 Feb 2004, Lewis Thompson wrote: > Hi, > > I was recommended to ask here for information on running Apache in a way > that regular system users can access their home directories. > > I think this is quite a straightforward question -- I'd like to allow > user fred to log in over HTTPS and have access to upload, delete, > rename, etc. all of the files he has permission to access (or possibly > restricted to just his home directory -- sort of a chroot). > > Is this possible using Apache (or maybe some other application)? And > more importantly can it be done in a secure fashion? Hmm...unless I'm overlooking something, what would be the problem with using ftpd? Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 --- _______________________________________________ freebsd-isp@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-isp To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?HJEELFHCPNPOPDIOMAKBOEDJCDAA.shawnm>