Apache+PHP+ftp security

From: abend (roy_at_clusterdigital.com)
Date: 03/25/05

  • Next message: Eduardo Tongson: "Re: Apache+PHP+ftp security" 
    Date: Fri, 25 Mar 2005 19:54:44 +0100
To: focus-linux@securityfocus.com

    Hi all,

    I'm configuring a linux server which may act as our main hosting
    server. This is, we provide hosting services for small business, and
    we need to configure our linux server to host their web pages. Our
    clients will upload their files by ftp (now it's vsftpd).

    Our first purpose was setting the ftp server to upload the files to be
    owned by the user which logged in and by group www-data (the files for
    each virtual server is under /home/example/www, where example stands
    for an example user), and umask set to 027. Our requirement is that
    the user example does not belong to the www-data group. By this way we
    get no problems about users reading another user php code, etc, but we
    didn't find any ftp server which permits us do that (proftpd have a
    GroupOwner directive which make uploaded files to be group-owned by
    the group we want to, but the user needs to belong to that group,
    which is not our intention). We searched for information on how to run
    the ftp server (the child process after authentication of the user)
    with the appropriate user but with pgid www-data, and make the files
    owned by this group, but neither proftpd, wu-ftpd or vsftpd matched
    this caracteristics.

    Our last approach was making users belong to the www-data group. This
    doesn't protect the php code of ones from other directly, but our
    clients doesn't get shell access, and we thought we can configure PHP
    safe_mode. The problem with this is that files created by a php script
    are created to be owned by the user who runs apache: www-data; if we
    want to read this files by another php script, owned by some user,
    it'll fail according to our safe_mode configuration. We can't use
    suExec because we're using mod_php, not cgi. I've readed a recent
    thread in this same mailing list about this all, but it didn't help.

    In order to solve my problem, my questions are:
    - Can i run apache's child processes with an arbitrary user
    (configured in a VirtualHost basis)? This solve the second problem,
    but is this a good idea?
    - Does anyone know how to do the first configuration works as
    expected? This solves the problem (safe_mode not needed).
    - any other ideas?

    Yours,
    Roi Rodriguez

  • Next message: Eduardo Tongson: "Re: Apache+PHP+ftp security"