Re: Apache+PHP+ftp security

From: Shawn Parker (shawn.parker_at_cumulus.com)
Date: 03/28/05

  • Next message: Kalevi Nyman: "Re: Apache+PHP+ftp security"
    Date: Mon, 28 Mar 2005 10:48:57 -0600
    To: abend <roy@clusterdigital.com>
    
    

    jail users to their directory. proftpd does this quite easily. you
    shouldn't let users go outside of */home/~user* anyway. regardless of
    their group designation.

    abend wrote:

    >Hi all,
    >
    >I'm configuring a linux server which may act as our main hosting
    >server. This is, we provide hosting services for small business, and
    >we need to configure our linux server to host their web pages. Our
    >clients will upload their files by ftp (now it's vsftpd).
    >
    >Our first purpose was setting the ftp server to upload the files to be
    >owned by the user which logged in and by group www-data (the files for
    >each virtual server is under /home/example/www, where example stands
    >for an example user), and umask set to 027. Our requirement is that
    >the user example does not belong to the www-data group. By this way we
    >get no problems about users reading another user php code, etc, but we
    >didn't find any ftp server which permits us do that (proftpd have a
    >GroupOwner directive which make uploaded files to be group-owned by
    >the group we want to, but the user needs to belong to that group,
    >which is not our intention). We searched for information on how to run
    >the ftp server (the child process after authentication of the user)
    >with the appropriate user but with pgid www-data, and make the files
    >owned by this group, but neither proftpd, wu-ftpd or vsftpd matched
    >this caracteristics.
    >
    >Our last approach was making users belong to the www-data group. This
    >doesn't protect the php code of ones from other directly, but our
    >clients doesn't get shell access, and we thought we can configure PHP
    >safe_mode. The problem with this is that files created by a php script
    >are created to be owned by the user who runs apache: www-data; if we
    >want to read this files by another php script, owned by some user,
    >it'll fail according to our safe_mode configuration. We can't use
    >suExec because we're using mod_php, not cgi. I've readed a recent
    >thread in this same mailing list about this all, but it didn't help.
    >
    >In order to solve my problem, my questions are:
    >- Can i run apache's child processes with an arbitrary user
    >(configured in a VirtualHost basis)? This solve the second problem,
    >but is this a good idea?
    >- Does anyone know how to do the first configuration works as
    >expected? This solves the problem (safe_mode not needed).
    >- any other ideas?
    >
    >Yours,
    >Roi Rodriguez
    >
    >
    >

    -- 
    Shawn Parker
    Network Administrator
    Cumulus Broadcasting, LLC.
    Columbia, Missouri - KBXR, KFRU, KOQL, KPLA
    Jefferson City, Missouri - KBBM, KJMO, KLIK
    573-449-4141 Ext. 331
    573-449-7770 (F)
    573-356-3716 (M)
    

  • Next message: Kalevi Nyman: "Re: Apache+PHP+ftp security"

    Relevant Pages

    • Re: Apache+PHP+ftp security
      ... > Our first purpose was setting the ftp server to upload the files to be ... > get no problems about users reading another user php code, etc, but we ... > Our last approach was making users belong to the www-data group. ... > it'll fail according to our safe_mode configuration. ...
      (Focus-Linux)
    • Re: ftp security tips?
      ... What "chroot configuration"? ... doesn't have a "configuration". ... If you are talking about an ftp server, ... directive to proftpd. ...
      (comp.os.linux.misc)
    • Help with php5 install under windows
      ... This includes moving php from the ... Enable the PHP scripting language engine under Apache. ... or per-virtualhost web server configuration file. ... The PHP directives register_globals, ...
      (php.general)
    • ADODB PHP Extension Help
      ... I want to take advantage of the ease of porting that the ADODB PHP extensions will afford as I begin conversion of my old, ... I am using mysqli as my database connection. ... # configuration directives that give the server its instructions. ... dynamically loaded extension, ...
      (comp.lang.php)
    • Re: [PHP] Include directive..
      ... file to specify the location to my script folders. ... Failed to generate a syntactically correct Apache configuration. ... But i do have the <?php tag closed in my Bootstrap file. ...
      (php.general)