Phil Howard wrote:
I don't understand what it is you are doing, so I cannot comment on whether it is common or not, or even secure. A test to detect if others can write a file that would be executed is a critical test on a multi-user machine. Similarly, testing if all parent directories can be written by others is important, too (otherwise, someone could move names around at some directory level to get their executable to be used).
I am making a new system for midsize webhoster, so there are many users, many sites for them and more levels of privileges than simple user and root. It consists of 10+ virtual systems now and will grow as required in the future, mainly with more worker systems using apache with this or other kind of su. I need to protect all the sites from themselves - have one unix uid for upload and file management and another for actual run of the site. Basicaly every site has these two plus there are priviledged master accounts for some different groups of sites. I can secure that there is simply no acces to any unprivilegeled some directory levels above site code, every site structure is created by root and privileges+acls are set on the lowest possible level. Sftp requires for chroot, that target directory or anything above it is writable by anyone except root, so everything above is well protected and I want to fiddle at lowest level of the structure. Is it better if I relax the tests to main group of that user? It would mean that some users get listed in thousands of groups, which seems worse to me. If anyone knows about some usefull article I semm missed while googling, that would enlighten me, I'd be thankful too. I is my job, but I try to make the last piece sorted out the best possible way and eventualy, I went here. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
