Hello,
for quite some time I am digging into webserver security and sadly, I
found basicaly two bad choices for multisite ultiuser server. I found
some disscussions about the subject, but it seems that I am still
missing something.
1) Standard way of usage with different ftp users and a single worker
allows one web to break into another. This could not be considered safe.
2) Suexec (suphp and others) way makes it far harder to break from one
web to another while it makes it piece of cake to break into any single
web a do anything from it. This means that a simple hole in code of the
website, that would do nothing in 1st way, could change .htaccess or
index.php. Basicaly it is replacement of one security hole by another
with huge performance penalty. This could not be considered safe.
In the policies, I have a problem with these two:
# Is the directory NOT writable by anyone else?
The directory should not be writable by user intended to run the code
and there needs to be nonroot account managing it.
# Is the target CGI/SSI program NOT writable by anyone else?
Same as above.
So my concept is based on two basic users for every website - one for
ftp and another for suexec run. Homedir of both is one level above any
website data and it is owned by root, ftp is chrooted there. If suexec
would be able to just check if code is in users homedir, I'd have what I
need. This way, I could limit where the web is able to rewrite itself -
make it as safe as possible with dynamic pages.
Do I undestand it right that there is no way of setting the original
suexec to do what I want? I have patched the sources, but it requires me
to maintain all the updates manualy, which is far from perfect.
Am I missing an obvious solution that is possible without the patch or
is my view too paranoid?
Have a nice day!
David
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
