Hi list.
I use Apache2.0+mod_perl_1.99+PHP on my server.
I want to lend web space to user.But I found a big problem which I don't
know how to resolve it.
for example ,
user test1's home directory is /home/test1,he can't access other
directories or files via ftp.
but ,if he uploads a simple script like following to his home directory ,
#!/usr/bin/perl
use CGI;
my $p=new CGI;
print $p->header;
open(HANDLE,"/etc/passwd");
while(<HANDLE>)
{
print "$_<BR>";
}
close(HANDLE);
then ,via his cgi script through brower....
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
......
By setting the file's attribute,the problem could be repaired.But ,if a CGI
file's permission was set to XX0,it can't run.
I am going to add a judgement to perl's function OPEN().if the file name
which was asked to open is begin with "/" or "../",perl can decline it.
I dont know the perl's source code at all,so I am not sure if it is a good
idea.
Maybe there are some other ways to resolve this problem(I just heared
chroot,but I am not clear how to do).Would someone give me a hint?
Any advise would be appreciated.
Thanx.
Regards,
Kai
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
