Re: Apache Security Issue

From: Chronos Tachyon (chronos_tachyon@please.no.spam.in.my.mail.com)
Date: 01/14/02


From: Chronos Tachyon <chronos_tachyon@please.no.spam.in.my.mail.com>
Date: Mon, 14 Jan 2002 22:07:35 GMT

On Mon 14 Jan 2002 12:42, Gulu wrote:

> Hi,
> I just recognized that with Apache configured for VirtualHosts, any user
> can access other users file via a CGI or ASP script, they even are able to
> read system files. The system I'm using seems to be considered on
> security, so I'm wondering if there is any way to solve this problem so
> that:
>
> - no one can access an other users apache root directory (e.g./home/user1)
> - no one can ready files using a file system call in CGI or ASP
> - every one can execute CGI / ASp scripts in the specified directory
> within the users directory (e.g. /home/user1/www/cgi-bin/)
>
> Do you know of this problem? is suexec a possible solution? any experience
> with suexec?
>
> thanx for helping
>
> gulu
>
>

If you configure Apache to use suexec, then put a "User <unique-user-name>"
directive inside each <VirtualHost>, Apache will make CGI programs for the
different vhosts run as different users. The actual files in the
DocumentRoot will still need to be readable to Apache, although I believe
that the CGI scripts themselves can be private to the vhost user. For any
other type of dynamic content, suexec will only work if the interpreter is
an external program and not a module compiled into Apache.

-- 
Chronos Tachyon
http://chronos.dyndns.org/ -- WWED?
Guardian of Eristic Paraphernalia
Gatekeeper of the Region of Thud
  4:02pm  up 78 days, 19:57,  2 users,  load average: 0.22, 0.23, 0.15