Re: Apache Security IssueFrom: Chronos Tachyon (firstname.lastname@example.org)
- Next message: Trøütmån: "Re: rpm -Va"
- Previous message: Michael Heiming: "Re: sendmail or not?"
- In reply to: Gulu: "Apache Security Issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Chronos Tachyon <email@example.com> Date: Mon, 14 Jan 2002 22:07:35 GMT
On Mon 14 Jan 2002 12:42, Gulu wrote:
> I just recognized that with Apache configured for VirtualHosts, any user
> can access other users file via a CGI or ASP script, they even are able to
> read system files. The system I'm using seems to be considered on
> security, so I'm wondering if there is any way to solve this problem so
> - no one can access an other users apache root directory (e.g./home/user1)
> - no one can ready files using a file system call in CGI or ASP
> - every one can execute CGI / ASp scripts in the specified directory
> within the users directory (e.g. /home/user1/www/cgi-bin/)
> Do you know of this problem? is suexec a possible solution? any experience
> with suexec?
> thanx for helping
If you configure Apache to use suexec, then put a "User <unique-user-name>"
directive inside each <VirtualHost>, Apache will make CGI programs for the
different vhosts run as different users. The actual files in the
DocumentRoot will still need to be readable to Apache, although I believe
that the CGI scripts themselves can be private to the vhost user. For any
other type of dynamic content, suexec will only work if the interpreter is
an external program and not a module compiled into Apache.
-- Chronos Tachyon http://chronos.dyndns.org/ -- WWED? Guardian of Eristic Paraphernalia Gatekeeper of the Region of Thud 4:02pm up 78 days, 19:57, 2 users, load average: 0.22, 0.23, 0.15