| 1 |
On Thu, Dec 04, 2008 at 12:17:14PM +0800, P.V.Anthony wrote: |
| 2 |
> Hi, |
| 3 |
> |
| 4 |
> I need help with permissions for a folder on a server for web hosting. |
| 5 |
> The permissions should be secure but must allow for ftp also. It is a |
| 6 |
> very basic question, please bear with me. |
| 7 |
> |
| 8 |
> The web server is apache and the user and group for the web server is |
| 9 |
> apache. Pureftpd is used for the ftp server. |
| 10 |
> |
| 11 |
> Now the domain1.com is being hosted in a folder called domain_1.com and |
| 12 |
> domain2.com is being hosted in a folder called domain_2.com. |
| 13 |
> |
| 14 |
> Thinking of giving the following permission for the folders. |
| 15 |
> |
| 16 |
> permission user group folder |
| 17 |
> drwxrwx--- domain_1.com domain_1.com domain_1.com |
| 18 |
> drwxrwx--- domain_2.com domain_2.com domain_2.com |
| 19 |
> drwxrwx--- domain_3.com domain_3.com domain_3.com |
| 20 |
> |
| 21 |
> Then apache will be member of groups, domain_1.com, domain_2.com and |
| 22 |
> domain_3.com. |
| 23 |
> |
| 24 |
> Is this correct and secure? Is there another better way? |
| 25 |
> |
| 26 |
Correct, yes. Secure, depends, but probably no. If your customers can run cgi |
| 27 |
programs or php scripts, you might run into trouble. It doesn't matter wether |
| 28 |
you run a cgi/php from domain1 or domain2, it will normally always run as |
| 29 |
httpd-user. Now consider some simple code in a cgi like: |
| 30 |
cat ../../domain2/htdocs/.htpasswd |
| 31 |
This will normally work without problems from domain1, since this code will be |
| 32 |
run as httpd-user, that is in group domain_2.com. |
| 33 |
Apache has a peruser mpm that should work around this problem. Or you could use |
| 34 |
something like SELinux or AppArmor, but this will require some work. |
| 35 |
|
| 36 |
-- |
| 37 |
"The great thing about Object Oriented code is that it can make small, simple problems look like large, complex ones." |
Archives