subject:"Apache\/PHP\/FTP and user rights"

Re: Apache/PHP/FTP and user rights

2002-08-23 Thread Helios de Creisquer

On Thu, Aug 01, 2002 at 03:40:23PM +0200, [EMAIL PROTECTED] wrote:
 Thus :
 - customers files are uploaded with user.user rights.
 - Apache runs as www-data.www-data
 
 The problem is that with that kind of setup, Apache can't create files
 in dirs owned by user.user. Even by switching files from user.user to
 user.www-data, if a file is created by Apache it won't be deletable by
 FTP.

perhaps you should try the cgiwrap package ?

there is also a patched version [ hum,  heavy  patched  :)  ]  which  is
called 'wrapit', used on Tuxfamily.org, it is part of the VHFFS project,
have a look on vhffs.org for more informations...

-- 
   Helios de Creisquer
http://www.tuxfamily.org/[EMAIL PROTECTED]
http://www.vhffs.org/[EMAIL PROTECTED]

Re: Apache/PHP/FTP and user rights

2002-08-02 Thread Shri Shrikumar

On Thu, 2002-08-01 at 18:38, Phillip Baker wrote:
 (oops, sent it directly to nicolas instead of the list - resent to the list
 for other people's benefit)
 
 I resigned myself to using cgi-php, mainly because I didn't want users
 scripts running as the webserver (somewhat of a security risk as then all
 files readable by the webserver become readable to users php scripts), but
 also to solve the problem of user's files not belonging to them.
 
 My install requires each user to have a copy of the interpreter in their own
 website's cgi-bin, under /www/their-site-url/cgi-bin - It does mean 2.4mb
 or so used by each user, but I just credit them the extra quota, and really,
 2.4mb isnt so much these days.
 
 To change the path you're allowed to use suexec on (because I don't believe
 you actually use /var/www - do you?) simply recompile it with the different
 path, and drop it into apache's lib directory. Don't forget to back up your
 new suexec when you upgrade apache, because apache will overwrite it again!
 
 If you need more detailed directives on recompiling suexec for an
 alternative path let me know and I'll dig the info out.


What is the performance hit for this (if any) ? and how much of a PITA
is it ? Also, do you have any links ? I've never used suexec, are there
any limits on the number of users or such ?

Thanks for your time


Shri

Re: Apache/PHP/FTP and user rights

2002-08-02 Thread Phillip Baker

Hi Shri,

 What is the performance hit for this (if any) ? and how much of a PITA
 is it ? Also, do you have any links ? I've never used suexec, are there
 any limits on the number of users or such ?

I must admit I never did a performance comparison, but from a completely
objective point of view it seems plenty fast on my dual p3 1GHz server :)

I'm sure theres some performance hit in passing the data inbetween the
webserver and PHP using CGI but the interpreter itself shouldn't really be
much faster or slower as such, so its shouldn't be too bad.

If by user limit if you mean the number of processes running at once, I've
certainly not hit any problems to date.

As someone pointed out, my individual copies of the PHP binary are
unnecessary if you simply hard link to it and make the link belong to the
user it should work (I believe)

Debian has a php4-cgi (I think it's called) package, but I cant recall in
particular what this sets up (if anything).

For each virtualhost directive in httpd.conf I have:

ScriptAlias /cgi-bin/ /www/website url/cgi-bin/

User  username
Group groupname (same as username typically in debian)

AddType application/x-httpd-php4-cgi .phtml .php4 .php .php3
Action application/x-httpd-php4-cgi /cgi-bin/.php

And that works quite well.

Naming their interpreter .php hides it from most ftp tools and suchlike and
will help prevent them deleting it, although you could always remove write
access as well as they shouldn't need to write to the interpreter :)

You'll need to recompile suexec if your cgi-bins are outside of /var/www in
order for it to work, and  overwrite apache's copy. You'll also find suexec
won't run files which are not chown'd to the right user and may also refuse
to
run php that isn't chmod 700.

I don't know of any HOWTOs for this, I had to ask someone in the know
about it and learnt that way. I do intend to write my own set of HOWTOs
for things I've done which don't seem to be particularly well documented at
some stage but I've simply not had the time so far :/

If you need a hand at any stage, let me know and I'll do my best to answer
your questions.

Regards,
Phillip Baker
LC Host Administrator
[EMAIL PROTECTED]

Apache/PHP/FTP and user rights

2002-08-01 Thread nbougues-listes

Dear all,

I'm facing a problem I thought would be fairly easy to deal with, but
haven't found a proper solution. Here it is :

We have a web werver hosting a few tens of customers using
VirtualHosts. We have mod_php and use FTP for updates, each customer
having its own UID.

Thus :
- customers files are uploaded with user.user rights.
- Apache runs as www-data.www-data

The problem is that with that kind of setup, Apache can't create files
in dirs owned by user.user. Even by switching files from user.user to
user.www-data, if a file is created by Apache it won't be deletable by
FTP.

What we consider the right solution would be to have Apache run as
user.user in each virtual host. This seems to be doable with
User/Group directives. Unfortunatly :
- mod_php doesn't honor that
- using a CGI php requires the use of suEXEC, which in turn requires
  that the php4 parser be installed in /var/www (hardcoded
  documentroot) and that it belongs to user.user, which is quite
  annoying.

I tend to think that what I want to do is not something quite
unusual. Maybe I missed a straightforward point somewhere. I hope
somebody will be able to point me to the right direction.

-- 
Nicolas Bougues
Axialys Interactive

Re: Apache/PHP/FTP and user rights

2002-08-01 Thread Marcin Sochacki

On Thu, Aug 01, 2002 at 03:40:23PM +0200, [EMAIL PROTECTED] wrote:
 I'm facing a problem I thought would be fairly easy to deal with, but
 haven't found a proper solution. Here it is :
 
 We have a web werver hosting a few tens of customers using
 VirtualHosts. We have mod_php and use FTP for updates, each customer
 having its own UID.
[...]

 What we consider the right solution would be to have Apache run as
 user.user in each virtual host. This seems to be doable with
 User/Group directives. Unfortunatly :
Apache doesn't honor those options in virtual host context, unless run
as root and recompiled with some -DBIG_SECURITY_HOLE option.
Obviously this is not a very secure solution.

Take a look here:
http://ftw.zamosc.pl/~lw/mdp/
http://luxik.cdi.cz/~devik/apache/

Wanted

Re: Apache/PHP/FTP and user rights

2002-08-01 Thread Phillip Baker

(oops, sent it directly to nicolas instead of the list - resent to the list
for other people's benefit)

I resigned myself to using cgi-php, mainly because I didn't want users
scripts running as the webserver (somewhat of a security risk as then all
files readable by the webserver become readable to users php scripts), but
also to solve the problem of user's files not belonging to them.

My install requires each user to have a copy of the interpreter in their own
website's cgi-bin, under /www/their-site-url/cgi-bin - It does mean 2.4mb
or so used by each user, but I just credit them the extra quota, and really,
2.4mb isnt so much these days.

To change the path you're allowed to use suexec on (because I don't believe
you actually use /var/www - do you?) simply recompile it with the different
path, and drop it into apache's lib directory. Don't forget to back up your
new suexec when you upgrade apache, because apache will overwrite it again!

If you need more detailed directives on recompiling suexec for an
alternative path let me know and I'll dig the info out.

HTH

Regards,
Phillip Baker
LC Host Administrator
[EMAIL PROTECTED]

- Original Message -
From: [EMAIL PROTECTED]
To: debian-isp@lists.debian.org
Sent: Thursday, August 01, 2002 2:40 PM
Subject: Apache/PHP/FTP and user rights


 Dear all,

 I'm facing a problem I thought would be fairly easy to deal with, but
 haven't found a proper solution. Here it is :

 We have a web werver hosting a few tens of customers using
 VirtualHosts. We have mod_php and use FTP for updates, each customer
 having its own UID.

 Thus :
 - customers files are uploaded with user.user rights.
 - Apache runs as www-data.www-data

 The problem is that with that kind of setup, Apache can't create files
 in dirs owned by user.user. Even by switching files from user.user to
 user.www-data, if a file is created by Apache it won't be deletable by
 FTP.

 What we consider the right solution would be to have Apache run as
 user.user in each virtual host. This seems to be doable with
 User/Group directives. Unfortunatly :
 - mod_php doesn't honor that
 - using a CGI php requires the use of suEXEC, which in turn requires
   that the php4 parser be installed in /var/www (hardcoded
   documentroot) and that it belongs to user.user, which is quite
   annoying.

 I tend to think that what I want to do is not something quite
 unusual. Maybe I missed a straightforward point somewhere. I hope
 somebody will be able to point me to the right direction.

 --
 Nicolas Bougues
 Axialys Interactive


 --
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]

Re: Apache/PHP/FTP and user rights

2002-08-01 Thread Phillip Baker

Interesting.

A stub runs as root, yes, but all the threads that actually handle requests
are running as the correct non-priveleged user on my system.

I've never experienced a problem with cgi-php and very much doubt debian
would provide it as a package if it provided such a big hole.

Regards,
Phillip Baker
LC Host Administrator
[EMAIL PROTECTED]

- Original Message -
From: Marcin Sochacki [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, August 01, 2002 4:29 PM
Subject: Re: Apache/PHP/FTP and user rights


 On Thu, Aug 01, 2002 at 03:40:23PM +0200, [EMAIL PROTECTED]
wrote:
  I'm facing a problem I thought would be fairly easy to deal with, but
  haven't found a proper solution. Here it is :
 
  We have a web werver hosting a few tens of customers using
  VirtualHosts. We have mod_php and use FTP for updates, each customer
  having its own UID.
 [...]

  What we consider the right solution would be to have Apache run as
  user.user in each virtual host. This seems to be doable with
  User/Group directives. Unfortunatly :
 Apache doesn't honor those options in virtual host context, unless run
 as root and recompiled with some -DBIG_SECURITY_HOLE option.
 Obviously this is not a very secure solution.

 Take a look here:
 http://ftw.zamosc.pl/~lw/mdp/
 http://luxik.cdi.cz/~devik/apache/

 Wanted


 --
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]

Re: Apache/PHP/FTP and user rights

Re: Apache/PHP/FTP and user rights

Re: Apache/PHP/FTP and user rights

Apache/PHP/FTP and user rights

Re: Apache/PHP/FTP and user rights

Re: Apache/PHP/FTP and user rights

Re: Apache/PHP/FTP and user rights

7 matches

Site Navigation

Mail list logo

Footer information