Re: Apache Security Issue

From: Chronos Tachyon (chronos_tachyon@please.no.spam.in.my.mail.com)
Date: 01/14/02


From: Chronos Tachyon <chronos_tachyon@please.no.spam.in.my.mail.com>
Date: Mon, 14 Jan 2002 22:07:35 GMT

On Mon 14 Jan 2002 12:42, Gulu wrote:

> Hi,
> I just recognized that with Apache configured for VirtualHosts, any user
> can access other users file via a CGI or ASP script, they even are able to
> read system files. The system I'm using seems to be considered on
> security, so I'm wondering if there is any way to solve this problem so
> that:
>
> - no one can access an other users apache root directory (e.g./home/user1)
> - no one can ready files using a file system call in CGI or ASP
> - every one can execute CGI / ASp scripts in the specified directory
> within the users directory (e.g. /home/user1/www/cgi-bin/)
>
> Do you know of this problem? is suexec a possible solution? any experience
> with suexec?
>
> thanx for helping
>
> gulu
>
>

If you configure Apache to use suexec, then put a "User <unique-user-name>"
directive inside each <VirtualHost>, Apache will make CGI programs for the
different vhosts run as different users. The actual files in the
DocumentRoot will still need to be readable to Apache, although I believe
that the CGI scripts themselves can be private to the vhost user. For any
other type of dynamic content, suexec will only work if the interpreter is
an external program and not a module compiled into Apache.

-- 
Chronos Tachyon
http://chronos.dyndns.org/ -- WWED?
Guardian of Eristic Paraphernalia
Gatekeeper of the Region of Thud
  4:02pm  up 78 days, 19:57,  2 users,  load average: 0.22, 0.23, 0.15



Relevant Pages

  • Re: failed: ERROR OCIEnvNlsCreate. Check (everything)
    ... Perl CGI on this server for years. ... Most likely are DBD::Oracle, Oracle client libraries, environment variables used by Oracle, and filesystem permission issues. ... Either put the user running Apache into the relevant group, or change the filesystem permissions. ...
    (perl.dbi.users)
  • Re: newbie CGI error Premature end of script headers.
    ... Apache is working, Perl is working from the command line, but CGI ... apache program to install something can't create devices and install and ...
    (comp.unix.bsd.openbsd.misc)
  • Re: dynamic lib ignored even after "found" in "install_driver(Oracle) failed: Cant load..." cgi prob
    ... the solution i found is this: i moved the directory containing libclntsh.so under /usr/lib, which is a location that apache seems to trust, as opposed to where i had originally placed this directory. ... so, if i knew then what i know now, here are the steps _I_ would use were i to install the oracle instantclient such that the DBD::Oracle module would work when used in an apache 2.0 CGI: ... i also could run it this way by placing tnsnames.ora in my home directory as .tnsnames.ora, but this location will do me no good when i want apache to run the script as a cgi. ... am i missing some sort of configuration detail regarding apache and permissions granted a cgi? ...
    (perl.dbi.users)
  • Re: CGIs & CSS - References
    ... my $q = new CGI; ... > If the link tag method is considered to be sufficient, then hey, I'm ... (Naturally the stylesheets and js files are in both ... This makes me think it's Apache. ...
    (perl.beginners)
  • Re: Apache and Perl in Windows
    ... The cgi scripts execute, ... I am studying a spider book that uses Perl so I ... > file in apache and rename the jar files in the server directory. ...
    (comp.lang.perl.misc)