On Wed, Aug 11, 2010 at 18:24, David Ricar r...@ethernet.cz wrote:
Phil Howard wrote:
For maintenance, it might be easier for you to make an suexec wrapper.
Run your wrapper to do custom checks and if it decides to go on, it
runs suexec. That way your maintenance is for your program, only,
Phil Howard wrote:
By suexec wrapper, I mean a program you write which will be placed
where Apache expects to find suexec. The real suexec will be moved to
somewhere else (maybe real-suexec in the same directory). Your
program will know where it is (and probably hard code that). Your
program
On Thu, Aug 12, 2010 at 09:49, David Ricar r...@ethernet.cz wrote:
I need just one thing: replace others writable tests by is_in_homedir
test - suexec does not solve, who could rewrite the code, but where the
code is located. My patch is rather naive and dirty proof of concept
right now, I
Phil Howard wrote:
I don't understand what it is you are doing, so I cannot comment on
whether it is common or not, or even secure. A test to detect if
others can write a file that would be executed is a critical test on a
multi-user machine. Similarly, testing if all parent directories can
be
On Thu, Aug 12, 2010 at 13:02, David Ricar r...@ethernet.cz wrote:
[...]
Sorry, I'm still not understanding what you are doing. I didn't
understand why you need two users per each site.
--
sHiFt HaPpEnS!
-
The official
David Ricar wrote:
Hello,
~snip~
So my concept is based on two basic users for every website - one for
ftp and another for suexec run. Homedir of both is one level above any
website data and it is owned by root, ftp is chrooted there. If suexec
would be able to just check if code is in users
Phil Howard wrote:
On Thu, Aug 12, 2010 at 13:02, David Ricar r...@ethernet.cz wrote:
[...]
Sorry, I'm still not understanding what you are doing. I didn't
understand why you need two users per each site.
J. Greenlees wrote:
I believe the standard method of doing this to completely lock the
Hello,
for quite some time I am digging into webserver security and sadly, I
found basicaly two bad choices for multisite ultiuser server. I found
some disscussions about the subject, but it seems that I am still
missing something.
1) Standard way of usage with different ftp users and a
On 2010-08-11 13:23, David Ricar wrote:
Am I missing an obvious solution that is possible without the patch or
is my view too paranoid?
Mount all your content read-only.
-
The official User-To-User support forum of the Apache
On Wed, Aug 11, 2010 at 09:23, David Ricar r...@ethernet.cz wrote:
Hello,
I don't think I see anything you are trying to accomplish different
than an ordinary multiuser server. You should be able to configure
where CGI can be run from to a narrow space. I assume FTP is for the
site owner to
Jefferson Ogata wrote:
On 2010-08-11 13:23, David Ricar wrote:
Am I missing an obvious solution that is possible without the patch or
is my view too paranoid?
Mount all your content read-only.
Sadly most of the sites requires some places to upload images and so on,
so this is not
Phil Howard wrote:
For maintenance, it might be easier for you to make an suexec wrapper.
Run your wrapper to do custom checks and if it decides to go on, it
runs suexec. That way your maintenance is for your program, only, and
you have to track a lot fewer changes to Apache code (basically
12 matches
Mail list logo
