Re: Apache+PHP+ftp security
From: Shawn Parker (shawn.parker_at_cumulus.com)
Date: Mon, 28 Mar 2005 10:48:57 -0600 To: abend <firstname.lastname@example.org>
jail users to their directory. proftpd does this quite easily. you
shouldn't let users go outside of */home/~user* anyway. regardless of
their group designation.
>I'm configuring a linux server which may act as our main hosting
>server. This is, we provide hosting services for small business, and
>we need to configure our linux server to host their web pages. Our
>clients will upload their files by ftp (now it's vsftpd).
>Our first purpose was setting the ftp server to upload the files to be
>owned by the user which logged in and by group www-data (the files for
>each virtual server is under /home/example/www, where example stands
>for an example user), and umask set to 027. Our requirement is that
>the user example does not belong to the www-data group. By this way we
>get no problems about users reading another user php code, etc, but we
>didn't find any ftp server which permits us do that (proftpd have a
>GroupOwner directive which make uploaded files to be group-owned by
>the group we want to, but the user needs to belong to that group,
>which is not our intention). We searched for information on how to run
>the ftp server (the child process after authentication of the user)
>with the appropriate user but with pgid www-data, and make the files
>owned by this group, but neither proftpd, wu-ftpd or vsftpd matched
>Our last approach was making users belong to the www-data group. This
>doesn't protect the php code of ones from other directly, but our
>clients doesn't get shell access, and we thought we can configure PHP
>safe_mode. The problem with this is that files created by a php script
>are created to be owned by the user who runs apache: www-data; if we
>want to read this files by another php script, owned by some user,
>it'll fail according to our safe_mode configuration. We can't use
>suExec because we're using mod_php, not cgi. I've readed a recent
>thread in this same mailing list about this all, but it didn't help.
>In order to solve my problem, my questions are:
>- Can i run apache's child processes with an arbitrary user
>(configured in a VirtualHost basis)? This solve the second problem,
>but is this a good idea?
>- Does anyone know how to do the first configuration works as
>expected? This solves the problem (safe_mode not needed).
>- any other ideas?
-- Shawn Parker Network Administrator Cumulus Broadcasting, LLC. Columbia, Missouri - KBXR, KFRU, KOQL, KPLA Jefferson City, Missouri - KBBM, KJMO, KLIK 573-449-4141 Ext. 331 573-449-7770 (F) 573-356-3716 (M)