1 |
On Thu, Dec 04, 2008 at 12:17:14PM +0800, P.V.Anthony wrote: |
2 |
> Hi, |
3 |
> |
4 |
> I need help with permissions for a folder on a server for web hosting. |
5 |
> The permissions should be secure but must allow for ftp also. It is a |
6 |
> very basic question, please bear with me. |
7 |
> |
8 |
> The web server is apache and the user and group for the web server is |
9 |
> apache. Pureftpd is used for the ftp server. |
10 |
> |
11 |
> Now the domain1.com is being hosted in a folder called domain_1.com and |
12 |
> domain2.com is being hosted in a folder called domain_2.com. |
13 |
> |
14 |
> Thinking of giving the following permission for the folders. |
15 |
> |
16 |
> permission user group folder |
17 |
> drwxrwx--- domain_1.com domain_1.com domain_1.com |
18 |
> drwxrwx--- domain_2.com domain_2.com domain_2.com |
19 |
> drwxrwx--- domain_3.com domain_3.com domain_3.com |
20 |
> |
21 |
> Then apache will be member of groups, domain_1.com, domain_2.com and |
22 |
> domain_3.com. |
23 |
> |
24 |
> Is this correct and secure? Is there another better way? |
25 |
> |
26 |
Correct, yes. Secure, depends, but probably no. If your customers can run cgi |
27 |
programs or php scripts, you might run into trouble. It doesn't matter wether |
28 |
you run a cgi/php from domain1 or domain2, it will normally always run as |
29 |
httpd-user. Now consider some simple code in a cgi like: |
30 |
cat ../../domain2/htdocs/.htpasswd |
31 |
This will normally work without problems from domain1, since this code will be |
32 |
run as httpd-user, that is in group domain_2.com. |
33 |
Apache has a peruser mpm that should work around this problem. Or you could use |
34 |
something like SELinux or AppArmor, but this will require some work. |
35 |
|
36 |
-- |
37 |
"The great thing about Object Oriented code is that it can make small, simple problems look like large, complex ones." |