Re: virtual hosting methods
Gavin Hamill wrote: > This is my biggest problem and a significant security hole :/ > > I have a directory /www containing all the vhosting directories, named > domain.com, etc. > > the entire directory tree is owned by a user called virtual, and > everyone has CGI, PHP and SSI access. > > In this way it would be very easy for anyone to upload a 'file manager' > CGI and be able to change the documents of any other Vhost user :( Why not have the owner of the files be somethingelse, and "virtual" has group read rights; so to upload any file they would have an upload web page which passes the job to the owner, somethingelse. You wouldn't need to create multiple real users, just two for the job (which could then use sudo, and you'd have to lock-down that upload program well). Mark Aitchison -- phone:(064)3-364-5888 /\/\ _/\ /\ fax: (064)3-364-5835 _/\/ ^ \/\,__ System Administrator at: Plain Communications mailto:[EMAIL PROTECTED]">==
Re: virtual hosting methods
Gavin Hamill wrote: > This is my biggest problem and a significant security hole :/ > > I have a directory /www containing all the vhosting directories, named > domain.com, etc. > > the entire directory tree is owned by a user called virtual, and > everyone has CGI, PHP and SSI access. > > In this way it would be very easy for anyone to upload a 'file manager' > CGI and be able to change the documents of any other Vhost user :( Why not have the owner of the files be somethingelse, and "virtual" has group read rights; so to upload any file they would have an upload web page which passes the job to the owner, somethingelse. You wouldn't need to create multiple real users, just two for the job (which could then use sudo, and you'd have to lock-down that upload program well). Mark Aitchison -- phone:(064)3-364-5888 /\/\ _/\ /\ fax: (064)3-364-5835 _/\/ ^ \/\,__ System Administrator at: Plain Communications mailto:[EMAIL PROTECTED]";>== -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: virtual hosting methods
On Sat, Nov 24, 2001 at 06:44:02PM -0500, Kevin J. Menard, Jr. wrote: > > MpP> For simple masshosting I still suggest mod_vhost. > > Which brings me back to my original question. For simple masshosting, I > would agree. But what about a system where some vhosts have CGI or SSI > access for example, and some don't. Would the former setup be better, or > the latter? This is my biggest problem and a significant security hole :/ I have a directory /www containing all the vhosting directories, named domain.com, etc. the entire directory tree is owned by a user called virtual, and everyone has CGI, PHP and SSI access. In this way it would be very easy for anyone to upload a 'file manager' CGI and be able to change the documents of any other Vhost user :( People have pointed me at sudo in the past but I don't want to start creating /etc/passwd users - that was the whole point of the virtual system - no real system users for www, ftp or mail! Any ideas, anyone? We haven't had any problems to date because none of our clients know anything / much about scripting... Cheers, gdh
Re: virtual hosting methods
On Sat, Nov 24, 2001 at 06:44:02PM -0500, Kevin J. Menard, Jr. wrote: > > MpP> For simple masshosting I still suggest mod_vhost. > > Which brings me back to my original question. For simple masshosting, I > would agree. But what about a system where some vhosts have CGI or SSI > access for example, and some don't. Would the former setup be better, or > the latter? This is my biggest problem and a significant security hole :/ I have a directory /www containing all the vhosting directories, named domain.com, etc. the entire directory tree is owned by a user called virtual, and everyone has CGI, PHP and SSI access. In this way it would be very easy for anyone to upload a 'file manager' CGI and be able to change the documents of any other Vhost user :( People have pointed me at sudo in the past but I don't want to start creating /etc/passwd users - that was the whole point of the virtual system - no real system users for www, ftp or mail! Any ideas, anyone? We haven't had any problems to date because none of our clients know anything / much about scripting... Cheers, gdh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: virtual hosting methods
As of 1.3.22 it reads everything .file and file~ :( Easy to fix but aint got no time nor interest. -- Martin 'pisi' Paljak / freelancer consultant [EMAIL PROTECTED] / pisi.pisitek.com www.pisitek.com On 24 Nov 2001, Karl M. Hegbloom wrote: > > "Frank" == Frank Louwers <[EMAIL PROTECTED]> writes: > > Frank> On Sun, Nov 25, 2001 at 12:30:41AM +0200, Martin 'pisi' Paljak > wrote: > >> Actually there is a very nice and nifty feature in apache 1.3.19+ (or > was > >> it 20+) that allows an include filename to be a directory what will > >> include all directories and subdirs of the named direcotry, and load > all > >> files in those dirs as config files. With some maintenance scripts it > >> allows very easy maintenance of virtual hosts (configuration...) > > Frank> Only thing: remember NOT to leave temp/backup files in that > directory, > Frank> as EVERY file is read as a config file... > > That should be fixed. I think it ought to ignore dot files, "~" > suffixed files, files that begin with "-" (so you can elide them > without moving them elsewhere), and files with a ".dpkg-*" suffix. > > It should not descend a ".backup*/" directory created by emacs > either, in case someone is using backup directories. > > -- > I was Linux when Linux wasn't cool. >
Re: virtual hosting methods
As of 1.3.22 it reads everything .file and file~ :( Easy to fix but aint got no time nor interest. -- Martin 'pisi' Paljak / freelancer consultant [EMAIL PROTECTED] / pisi.pisitek.com www.pisitek.com On 24 Nov 2001, Karl M. Hegbloom wrote: > > "Frank" == Frank Louwers <[EMAIL PROTECTED]> writes: > > Frank> On Sun, Nov 25, 2001 at 12:30:41AM +0200, Martin 'pisi' Paljak wrote: > >> Actually there is a very nice and nifty feature in apache 1.3.19+ (or was > >> it 20+) that allows an include filename to be a directory what will > >> include all directories and subdirs of the named direcotry, and load all > >> files in those dirs as config files. With some maintenance scripts it > >> allows very easy maintenance of virtual hosts (configuration...) > > Frank> Only thing: remember NOT to leave temp/backup files in that directory, > Frank> as EVERY file is read as a config file... > > That should be fixed. I think it ought to ignore dot files, "~" > suffixed files, files that begin with "-" (so you can elide them > without moving them elsewhere), and files with a ".dpkg-*" suffix. > > It should not descend a ".backup*/" directory created by emacs > either, in case someone is using backup directories. > > -- > I was Linux when Linux wasn't cool. > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: virtual hosting methods
> "Frank" == Frank Louwers <[EMAIL PROTECTED]> writes: Frank> On Sun, Nov 25, 2001 at 12:30:41AM +0200, Martin 'pisi' Paljak wrote: >> Actually there is a very nice and nifty feature in apache 1.3.19+ (or was >> it 20+) that allows an include filename to be a directory what will >> include all directories and subdirs of the named direcotry, and load all >> files in those dirs as config files. With some maintenance scripts it >> allows very easy maintenance of virtual hosts (configuration...) Frank> Only thing: remember NOT to leave temp/backup files in that directory, Frank> as EVERY file is read as a config file... That should be fixed. I think it ought to ignore dot files, "~" suffixed files, files that begin with "-" (so you can elide them without moving them elsewhere), and files with a ".dpkg-*" suffix. It should not descend a ".backup*/" directory created by emacs either, in case someone is using backup directories. -- I was Linux when Linux wasn't cool.
Re: virtual hosting methods
Actually there is a very nice and nifty feature in apache 1.3.19+ (or was it 20+) that allows an include filename to be a directory what will include all directories and subdirs of the named direcotry, and load all files in those dirs as config files. With some maintenance scripts it allows very easy maintenance of virtual hosts (configuration...) and grouping of configuration. For simple masshosting I still suggest mod_vhost. regards, -- Martin 'pisi' Paljak / freelancer consultant [EMAIL PROTECTED] / pisi.pisitek.com On Sat, 24 Nov 2001, Gavin Hamill wrote: > On Sat, Nov 24, 2001 at 04:29:06PM -0500, Kevin J. Menard, Jr. wrote: > > Hey guys, > > > > And I was thinking just have a separate vhost.conf file and modifying > > that, then restarting apache with graceful. > > This is exactly what I do, with the same filename vhost.conf and > everything =) > > In fact, apache's httpd.conf is configured to read vhost.conf, but any > of my web-based admin tools (which I wrote) use a file called > vhost.latest, then this script runs as a cron job every 3 minutes: > > #!/bin/bash > > diff /etc/apache/vhost.conf /etc/apache/vhost.latest >/dev/null > > if [ $? = 1 ] ; then > echo >/tmp/thisisnow `date +%Y%m%d-%H%M%S` > cat /etc/apache/vhost.conf > /etc/apache/vhost.conf.`cat /tmp/thisisnow` > cat /etc/apache/vhost.latest >/etc/apache/vhost.conf > echo >>/var/log/telcust.log `date +%Y-%m-%d-%H-%M-%S` INFO: Rotated vhost.conf > echo Rotating apache configuration! > echo > apachectl configtest > > if [ $? = 0 ] ; then > apachectl stop > sleep 1 > apachectl start > sleep 2 > apachectl start > > pidof /usr/sbin/apache >/dev/null > > if [ $? = 1 ] ; then > echo >>/var/log/telcust.log `date +%Y-%m-%d-%H-%M-%S` WARN: >Apache did not restart > echo DID NOT DETECT ANY RUNNING APACHE PROCESSES!!! > echo > echo End of /var/log/apache/error.log follows > echo > tail /var/log/apache/error.log > cat /etc/apache/vhost.conf.`cat /tmp/thisisnow` >>/etc/apache/vhost.conf > apachectl start > echo > echo I have restored the old config file and restarted apache. > echo You will get this error every three minutes as an >incentive > echo to fix the problem in /etc/apache/vhost.latest ! > else > echo Detected apache processes have restarted OK. > fi > else > echo > echo >>/var/log/telcust.log `date +%Y-%m-%d-%H-%M-%S` WARN: Apache >conf failed syntax test > echo Oh dear, the new apache config failed the configtest. > echo Will restore the old config and not restart apache. > cat /etc/apache/vhost.conf.`cat /tmp/thisisnow` >/etc/apache/vhost.conf > fi > > fi > > - > > The vhost.latest simply contains lots of blocks. > > Cheers, > > > gdh > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: virtual hosting methods
On Sun, Nov 25, 2001 at 12:30:41AM +0200, Martin 'pisi' Paljak wrote: > Actually there is a very nice and nifty feature in apache 1.3.19+ (or was > it 20+) that allows an include filename to be a directory what will > include all directories and subdirs of the named direcotry, and load all > files in those dirs as config files. With some maintenance scripts it > allows very easy maintenance of virtual hosts (configuration...) We use this setup and are very happy about it. I searched the apache CVS trees, found the (rather small!) diff that implements this, and backported it to the 1.3.9 that's in potato. Works like a charm. Only thing: remember NOT to leave temp/backup files in that directory, as EVERY file is read as a config file... While on the vhosting subject: how do you guys handle the maximum open file descriptor's limit in apache? Do you give every vhost two separate logfiles or not? If you do, have you run into the maximum file descriptors issue or not? Regards, frank Openminds b.v.b.a.
Re: virtual hosting methods
On Sun, Nov 25, 2001 at 12:30:41AM +0200, Martin 'pisi' Paljak wrote: > Actually there is a very nice and nifty feature in apache 1.3.19+ (or was > it 20+) that allows an include filename to be a directory what will > include all directories and subdirs of the named direcotry, > and load all files in those dirs as config files. Ah, so each vhost could have it's own file in a 'vhost' directory.. interesting, and perhaps much less dangerous than a single file... Mind you I wrote that shell script to work with 1.3.9 from potato... > For simple masshosting I still suggest mod_vhost. This is not something I'm even aware of! I'll have to look into it :) Thanks! gdh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: virtual hosting methods
> "Frank" == Frank Louwers <[EMAIL PROTECTED]> writes: Frank> On Sun, Nov 25, 2001 at 12:30:41AM +0200, Martin 'pisi' Paljak wrote: >> Actually there is a very nice and nifty feature in apache 1.3.19+ (or was >> it 20+) that allows an include filename to be a directory what will >> include all directories and subdirs of the named direcotry, and load all >> files in those dirs as config files. With some maintenance scripts it >> allows very easy maintenance of virtual hosts (configuration...) Frank> Only thing: remember NOT to leave temp/backup files in that directory, Frank> as EVERY file is read as a config file... That should be fixed. I think it ought to ignore dot files, "~" suffixed files, files that begin with "-" (so you can elide them without moving them elsewhere), and files with a ".dpkg-*" suffix. It should not descend a ".backup*/" directory created by emacs either, in case someone is using backup directories. -- I was Linux when Linux wasn't cool. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: virtual hosting methods
On Sun, Nov 25, 2001 at 12:30:41AM +0200, Martin 'pisi' Paljak wrote: > Actually there is a very nice and nifty feature in apache 1.3.19+ (or was > it 20+) that allows an include filename to be a directory what will > include all directories and subdirs of the named direcotry, and load all > files in those dirs as config files. With some maintenance scripts it > allows very easy maintenance of virtual hosts (configuration...) We use this setup and are very happy about it. I searched the apache CVS trees, found the (rather small!) diff that implements this, and backported it to the 1.3.9 that's in potato. Works like a charm. Only thing: remember NOT to leave temp/backup files in that directory, as EVERY file is read as a config file... While on the vhosting subject: how do you guys handle the maximum open file descriptor's limit in apache? Do you give every vhost two separate logfiles or not? If you do, have you run into the maximum file descriptors issue or not? Regards, frank Openminds b.v.b.a. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: virtual hosting methods
On Sun, Nov 25, 2001 at 12:30:41AM +0200, Martin 'pisi' Paljak wrote: > Actually there is a very nice and nifty feature in apache 1.3.19+ (or was > it 20+) that allows an include filename to be a directory what will > include all directories and subdirs of the named direcotry, > and load all files in those dirs as config files. Ah, so each vhost could have it's own file in a 'vhost' directory.. interesting, and perhaps much less dangerous than a single file... Mind you I wrote that shell script to work with 1.3.9 from potato... > For simple masshosting I still suggest mod_vhost. This is not something I'm even aware of! I'll have to look into it :) Thanks! gdh
Re: virtual hosting methods
Actually there is a very nice and nifty feature in apache 1.3.19+ (or was it 20+) that allows an include filename to be a directory what will include all directories and subdirs of the named direcotry, and load all files in those dirs as config files. With some maintenance scripts it allows very easy maintenance of virtual hosts (configuration...) and grouping of configuration. For simple masshosting I still suggest mod_vhost. regards, -- Martin 'pisi' Paljak / freelancer consultant [EMAIL PROTECTED] / pisi.pisitek.com On Sat, 24 Nov 2001, Gavin Hamill wrote: > On Sat, Nov 24, 2001 at 04:29:06PM -0500, Kevin J. Menard, Jr. wrote: > > Hey guys, > > > > And I was thinking just have a separate vhost.conf file and modifying > > that, then restarting apache with graceful. > > This is exactly what I do, with the same filename vhost.conf and > everything =) > > In fact, apache's httpd.conf is configured to read vhost.conf, but any > of my web-based admin tools (which I wrote) use a file called > vhost.latest, then this script runs as a cron job every 3 minutes: > > #!/bin/bash > > diff /etc/apache/vhost.conf /etc/apache/vhost.latest >/dev/null > > if [ $? = 1 ] ; then > echo >/tmp/thisisnow `date +%Y%m%d-%H%M%S` > cat /etc/apache/vhost.conf > /etc/apache/vhost.conf.`cat /tmp/thisisnow` > cat /etc/apache/vhost.latest >/etc/apache/vhost.conf > echo >>/var/log/telcust.log `date +%Y-%m-%d-%H-%M-%S` INFO: Rotated > vhost.conf > echo Rotating apache configuration! > echo > apachectl configtest > > if [ $? = 0 ] ; then > apachectl stop > sleep 1 > apachectl start > sleep 2 > apachectl start > > pidof /usr/sbin/apache >/dev/null > > if [ $? = 1 ] ; then > echo >>/var/log/telcust.log `date +%Y-%m-%d-%H-%M-%S` > WARN: Apache did not restart > echo DID NOT DETECT ANY RUNNING APACHE PROCESSES!!! > echo > echo End of /var/log/apache/error.log follows > echo > tail /var/log/apache/error.log > cat /etc/apache/vhost.conf.`cat /tmp/thisisnow` > >/etc/apache/vhost.conf > apachectl start > echo > echo I have restored the old config file and restarted > apache. > echo You will get this error every three minutes as an > incentive > echo to fix the problem in /etc/apache/vhost.latest ! > else > echo Detected apache processes have restarted OK. > fi > else > echo > echo >>/var/log/telcust.log `date +%Y-%m-%d-%H-%M-%S` WARN: > Apache conf failed syntax test > echo Oh dear, the new apache config failed the configtest. > echo Will restore the old config and not restart apache. > cat /etc/apache/vhost.conf.`cat /tmp/thisisnow` > >/etc/apache/vhost.conf > fi > > fi > > - > > The vhost.latest simply contains lots of blocks. > > Cheers, > > > gdh > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: virtual hosting methods
On Sat, Nov 24, 2001 at 04:29:06PM -0500, Kevin J. Menard, Jr. wrote: > Hey guys, > > And I was thinking just have a separate vhost.conf file and modifying > that, then restarting apache with graceful. This is exactly what I do, with the same filename vhost.conf and everything =) In fact, apache's httpd.conf is configured to read vhost.conf, but any of my web-based admin tools (which I wrote) use a file called vhost.latest, then this script runs as a cron job every 3 minutes: #!/bin/bash diff /etc/apache/vhost.conf /etc/apache/vhost.latest >/dev/null if [ $? = 1 ] ; then echo >/tmp/thisisnow `date +%Y%m%d-%H%M%S` cat /etc/apache/vhost.conf > /etc/apache/vhost.conf.`cat /tmp/thisisnow` cat /etc/apache/vhost.latest >/etc/apache/vhost.conf echo >>/var/log/telcust.log `date +%Y-%m-%d-%H-%M-%S` INFO: Rotated vhost.conf echo Rotating apache configuration! echo apachectl configtest if [ $? = 0 ] ; then apachectl stop sleep 1 apachectl start sleep 2 apachectl start pidof /usr/sbin/apache >/dev/null if [ $? = 1 ] ; then echo >>/var/log/telcust.log `date +%Y-%m-%d-%H-%M-%S` WARN: Apache did not restart echo DID NOT DETECT ANY RUNNING APACHE PROCESSES!!! echo echo End of /var/log/apache/error.log follows echo tail /var/log/apache/error.log cat /etc/apache/vhost.conf.`cat /tmp/thisisnow` >/etc/apache/vhost.conf apachectl start echo echo I have restored the old config file and restarted apache. echo You will get this error every three minutes as an incentive echo to fix the problem in /etc/apache/vhost.latest ! else echo Detected apache processes have restarted OK. fi else echo echo >>/var/log/telcust.log `date +%Y-%m-%d-%H-%M-%S` WARN: Apache conf failed syntax test echo Oh dear, the new apache config failed the configtest. echo Will restore the old config and not restart apache. cat /etc/apache/vhost.conf.`cat /tmp/thisisnow` >/etc/apache/vhost.conf fi fi - The vhost.latest simply contains lots of blocks. Cheers, gdh