Re: [users@httpd] How do I keep Virtural hosts from seeing the others document root?
On 10.03.11 03:59, aaron...@comcast.net wrote: While the setup Jim decribes is similar to what I have setup, The issue still remains when a user uploads a PHPSHELL to there docment root and access the server through the uploaded shell they are no longer operating under the FTP user account. They are operating under the www-data account which is the account apachie operates in. By doing so when using the uploaded PHPSHELL you bypass the FTP and jail restrictions What jail restrictions? of course when running PHP under under apache, the restrictions from FTP do not apply. Therefore you must configure PHP so other restrictions apply. that prevent you from seeing other peoples document root and have access to all document roots on the system. Here is a PHPSHELL http://phpshell.sourceforge.net/ upload and configure it. give it a try it runs under the www-data account just like all other pages do. This issue would allow your PHP files to be viewed. This can be an issue due to needing to have passwords in PHP scripts to access SOL databases etc.. This issue could be resolved by making each virtualhost run under a different account and jailing each account in a different jail. read my former mail, I think I have described everything you mention. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] How do I keep Virtural hosts from seeing the others document root?
An apology... On 10.03.11 03:59, aaron...@comcast.net wrote: While the setup Jim decribes is similar to what I have setup, The issue still remains when a user uploads a PHPSHELL to there docment root and access the server through the uploaded shell they are no longer operating under the FTP user account. They are operating under the www-data account which is the account apachie operates in. By doing so when using the uploaded PHPSHELL you bypass the FTP and jail restrictions What jail restrictions? of course when running PHP under under apache, the restrictions from FTP do not apply. Therefore you must configure PHP so other restrictions apply. that prevent you from seeing other peoples document root and have access to all document roots on the system. Here is a PHPSHELL http://phpshell.sourceforge.net/ upload and configure it. give it a try it runs under the www-data account just like all other pages do. This issue would allow your PHP files to be viewed. This can be an issue due to needing to have passwords in PHP scripts to access SOL databases etc.. This issue could be resolved by making each virtualhost run under a different account and jailing each account in a different jail. On 06.04.11 11:39, Matus UHLAR - fantomas wrote: read my former mail, I think I have described everything you mention. sorry for my ignorance. I forgot I'm in lag (illnes etc) and haven't seen your post before (seems due to broken threading). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] How do I keep Virtural hosts from seeing the others document root?
On 06.03.11 22:43, aaron...@comcast.net wrote: I have apache2 running virtual hosts. Ive fingered out how to jail a user that uploads files to the document root using jailkit and only allow SFTP access. What I have not fingered out is how to keep a user from reading other files on the system such as other virtual host document roots by uploading a phpshell which runs under the www-data user which is not jailed. I could jail the www-data account but this would not prevent one virtual host from seeing another using a phpshell since they would be in the same jail. what I think I need to do is run each virtural host under a different user account so I can jail each separate. How would I set this up? can virtual hosts be run with different user accounts? I think that they can by using peruser MPM but I think it's only scalable to a few hundreds/thousands of accounts. The reasoning behind this is I want to protect the PHP scripts from being viewed. run PHP as module and configure directives like open_basedir and doc_root. for CGI, you can configure all www directories to have 0750 permissions (write for owner, read for group) and run apache under user nobody but the group you give to all directories. Note that ordinary users must not belong to the group. Running under suexec, run scripts under the userid and group that doesn't have permission to read those directories. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Holmes, what kind of school did you study to be a detective? - Elementary, Watson. -- Daffy Duck Porky Pig - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] How do I keep Virtural hosts from seeing the others document root?
While the setup Jim decribes is similar to what I have setup, The issue still remains when a user uploads a PHPSHELL to there docment root and access the server through the uploaded shell they are no longer operating under the FTP user account. They are operating under the www-data account which is the account apachie operates in. By doing so when using the uploaded PHPSHELL you bypass the FTP and jail restrictions that prevent you from seeing other peoples document root and have access to all document roots on the system. Here is a PHPSHELL http://phpshell.sourceforge.net/ upload and configure it. give it a try it runs under the www-data account just like all other pages do. This issue would allow your PHP files to be viewed. This can be an issue due to needing to have passwords in PHP scripts to access SOL databases etc.. This issue could be resolved by making each virtualhost run under a different account and jailing each account in a different jail. - Original Message - From: Jim Walls j...@k6ccc.org To: users@httpd.apache.org Sent: Monday, March 7, 2011 12:58:59 AM Subject: Re: [users@httpd] How do I keep Virtural hosts from seeing the others document root? On 3/6/2011 2:43 PM, aaron...@comcast.net wrote: I have apache2 running virtual hosts. Ive fingered out how to jail a user that uploads files to the document root using jailkit and only allow SFTP access. What I have not fingered out is how to keep a user from reading other files on the system such as other virtual host document roots by uploading a phpshell which runs under the www-data user which is not jailed. Maybe I'm not understanding the problem. As I understand it, you dont want a user that has ftp access to one of your virtual hosts to be able to have read access to another of the virtual hosts. What's the problem? As I understand the question, this has everything to do with the security and setup of your ftp server and nothing to do with apache. I have this very easily. I use Bulletproof FTP server and I can easily allow a user ID whatever access and to whatever directories I want. The two virtual servers have completely different document roots. Let me give an example: I have a virtual server that is xyz.org with a root of C:\Program Files\Apache Group\Apache2\htdocs\xyz.org I have a second virtual server that is abc.info with a root of C:\Program Files\Apache Group\Apache2\htdocs\abc.info In my ftp server, the user IDs that are there for access to xyz.org have no access above C:\Program Files\Apache Group\Apache2\htdocs\xyz.org and the user IDs that are there for access to abc.info have no access above C:\Program Files\Apache Group\Apache2\htdocs\abc.info Did I just answer the question or am I completely missing the question? -- 73 - Jim Walls - K6CCC j...@k6ccc.org Ofc: 818-548-4804 http://members.dslextreme.com/users/k6ccc/ AMSAT Member 32537 - WSWSS Member 395
[users@httpd] How do I keep Virtural hosts from seeing the others document root?
I have apache2 running virtual hosts. Ive fingered out how to jail a user that uploads files to the document root using jailkit and only allow SFTP access. What I have not fingered out is how to keep a user from reading other files on the system such as other virtual host document roots by uploading a phpshell which runs under the www-data user which is not jailed. I could jail the www-data account but this would not prevent one virtual host from seeing another using a phpshell since they would be in the same jail. what I think I need to do is run each virtural host under a different user account so I can jail each separate. How would I set this up? can virtual hosts be run with different user accounts? The reasoning behind this is I want to protect the PHP scripts from being viewed. Any suggestions or ideals if so send me some links to point me in the right direction. Thanks Aaron
Re: [users@httpd] How do I keep Virtural hosts from seeing the others document root?
On March 6, 2011 17:43 , aaron...@comcast.net wrote: I have apache2 running virtual hosts. Ive fingered out how to jail a user that uploads files to the document root using jailkit and only allow SFTP access. What I have not fingered out is how to keep a user from reading other files on the system such as other virtual host document roots by uploading a phpshell which runs under the www-data user which is not jailed. Other people will hopefully have more and/or better suggestions, but here are mine: - Use FastCGI to run code for each virtual host as a user specific to that virtual host. For example, if you have several virtual hosts running PHP code, you could set up a separate instance of php-fpm for each one. See http://us3.php.net/manual/en/install.fpm.php If you go this route, try it with mod_fastcgi on the httpd end of things first -- you'd need to use set-uid wrapper scripts if you used mod_fcgid, and php-fpm currently lacks support for mod_proxy_fcgi. Alternatively: - If you are running on a system that has SELinux, haven't disabled it, and are running Apache HTTP Server under it, then Apache/SELinux plus will hopefully give you what you want. See http://code.google.com/p/sepgsql/wiki/Apache_SELinux_plus If nothing else works: - Run a separate instance of httpd for each virtual host, each with it's own httpd.conf and each running as a separate user on a unique port (not port 80). Configure these instances to only talk to a reverse proxy that sits in front of them and listens on port 80. I hope this helps. -- Mark Montague m...@catseye.org - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] How do I keep Virtural hosts from seeing the others document root?
On Sun, 6 Mar 2011 22:43:36 + (UTC) aaron...@comcast.net wrote: I could jail the www-data account but this would not prevent one virtual host from seeing another using a phpshell since they would be in the same jail. Yep. Virtualhosts aren't designed for that level of security. You forgot to tell us what platform you're on. You have one suggestion based on FastCGI, and one I've never heard of based on selinux. Two simpler alternatives are CGI with suexec (which is cross-platform) or mod_privileges (for Solaris). -- Nick Kew Available for work, contract or permanent. http://www.webthing.com/~nick/cv.html - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] How do I keep Virtural hosts from seeing the others document root?
I'm running Apache/2.2.12 (Ubuntu) Server. I thought I was running a separate instance of httpd by having Listen configured twice in the ports.conf file. see below. I have two IP virtual hosts setup in the site-available VirtualHost 192.168.253.250:80 ServerAdmin webmaster@localhost DocumentRoot /var/www ServerName website1.local /VirtualHost and VirtualHost 192.168.253.251:80 ServerAdmin admin@localhost DocumentRoot /var/http ServerName website2.local /VirtualHost httpd.conf DirectoryIndex index.php index.html index.htm default.htm ports.conf # NameVirtualHost Listen 192.168.253.250:80 Listen 192.168.253.251:80 IfModule mod_ssl.c # SSL name based virtual hosts are not yet supported, therefore no # NameVirtualHost statement here Listen 443 /IfModule apache2.conf default install
Re: [users@httpd] How do I keep Virtural hosts from seeing the others document root?
On 3/6/2011 2:43 PM, aaron...@comcast.net wrote: I have apache2 running virtual hosts. Ive fingered out how to jail a user that uploads files to the document root using jailkit and only allow SFTP access. What I have not fingered out is how to keep a user from reading other files on the system such as other virtual host document roots by uploading a phpshell which runs under the www-data user which is not jailed. Maybe I'm not understanding the problem. As I understand it, you dont want a user that has ftp access to one of your virtual hosts to be able to have read access to another of the virtual hosts. What's the problem? As I understand the question, this has everything to do with the security and setup of your ftp server and nothing to do with apache. I have this very easily. I use Bulletproof FTP server and I can easily allow a user ID whatever access and to whatever directories I want. The two virtual servers have completely different document roots. Let me give an example: I have a virtual server that is xyz.org with a root of C:\Program Files\Apache Group\Apache2\htdocs\xyz.org I have a second virtual server that is abc.info with a root of C:\Program Files\Apache Group\Apache2\htdocs\abc.info In my ftp server, the user IDs that are there for access to xyz.org have no access above C:\Program Files\Apache Group\Apache2\htdocs\xyz.org and the user IDs that are there for access to abc.info have no access above C:\Program Files\Apache Group\Apache2\htdocs\abc.info Did I just answer the question or am I completely missing the question? -- 73 - Jim Walls - K6CCC j...@k6ccc.org Ofc: 818-548-4804 http://members.dslextreme.com/users/k6ccc/ AMSAT Member 32537 - WSWSS Member 395
Re: [users@httpd] How do I keep Virtural hosts from seeing the others document root?
Jim Walls wrote: ~snip~ Did I just answer the question or am I completely missing the question? and with no ftp server installed you can point a web bowser to ftp://xyz.com and httpd will allow ftp protocol read access. to stop that you need to do as earlier posters described. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org