Re: [PLUG] webhosting question again

Jeff Abrahamson on Thu, 14 Nov 2002 11:30:06 -0500

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] webhosting question again

From: Jeff Abrahamson <jeff@purple.com>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] webhosting question again

Date: Thu, 14 Nov 2002 11:02:43 -0500

>received: from diderot.purple.com (diderot [127.0.0.1]) by diderot.purple.com (8.12.5/8.12.5/Debian-1) with ESMTP id gAEG2h3q008103 for <plug@lists.phillylinux.org>; Thu, 14 Nov 2002 11:02:43 -0500

Mail-followup-to: plug@lists.phillylinux.org

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

User-agent: Mutt/1.4i

On Thu, Nov 14, 2002 at 08:22:29AM -0500, Kevin Brosius wrote: > epike@isinet.com wrote: > > > > ok i have another question about webhosting. > > > > the scenario is, > > > > - lots of users using the same > > machine serving virtual websites. > > > > - some users may want their own cgi-bin > > > > regardless of any security i think of by way > > of permissions, I can't think of a secure way > > to protect the users files from each other. The reason > > is if somebody writes a cgi-bin that should be > > readable and executed by apache, then that process > > will have the power to read other people web files! > > Um, aren't these web page files? Why would you want to make them read > protected from other accounts? Aren't they already publicly accessible > through the web server? Yes, but there are subtleties. Let's say that you and I have accounts on machine www.foo.com. In ~jeff/public_html, I put some files with .htaccess or some other technique to make them servable only to some people. Meanwhile you write a cgi that displays the results of a "find ~jeff/public_html -print" and then lets you choose a file to display from that list. Because apache has to be able to read all these files to display them to authorized users, your cgi program can read them, too, unless apache is configured to change it's uid when running cgi's. So then my access control is for naught. Consider also that my cgi programs probably have my database user id and password embedded in them or at least in a preference file that they can read. But, again, those files are readable by apache, so I'd like to trust that you can't modify my web site just by signing up with my ISP, writing a cgi to find my database password, and then exploring and modifying my data. Iirc, the solution is to have apache chuid before change its uid before executing a cgi program. But I haven't set this up myself, so I'm not really sure of the apache config details. -- Jeff Jeff Abrahamson <http://www.purple.com/jeff/>
Attachment: pgpz2E8GU7epW.pgp
Description: PGP signature

Follow-Ups:

Re: [PLUG] webhosting question again
From: epike@isinet.com

References:

[PLUG] webhosting question again
From: epike@isinet.com

Re: [PLUG] webhosting question again
From: Kevin Brosius <kbrosius@kns.com>

Prev by Date: Re: [PLUG] webhosting question again

Next by Date: Re: [PLUG] webhosting question again

Previous by thread: Re: [PLUG] webhosting question again

Next by thread: Re: [PLUG] webhosting question again

Index(es):

Date

Thread