Results 1 to 7 of 7
  1. #1

    * Web Shared Server, Security Problems,

    Hey,

    I'm running some web shared servers without any CP,

    The apache web server runs with user/group nobody/nobody

    each virtual host points to a specific ftp account for each one of my customers,
    of course, I must give read/write access to the 'other' group so apache will be able to read/write,

    My problem is that one customer can actually access other customer's directory as wells (due to the fact that all sites has permissions to read from each other because of the Apache requirements)

    It is possible to declare in php an "open_basdir" which is great but still all sites must be under this directory,

    Is there any way to create a base_dir per virtual host somehow?
    Or maybe there's any other way to lock a site only in its directory ?

    Thanks

  2. #2
    Join Date
    Mar 2004
    Location
    Belgium
    Posts
    81
    Set open_basedir in your apache configfile per vhost.

  3. #3
    Except the DocumentRoot?
    What is the directive?

    And damn, I also use the rewrite module to create automatic sites decleration without any virtual host needs, there for sure I won't be able to set this directive,


    But anyway, I'll be glad if you'll name it

    thanks.

  4. #4
    Join Date
    Jun 2003
    Posts
    673

  5. #5
    Join Date
    Jan 2003
    Location
    Lake Arrowhead, CA
    Posts
    789
    Openbasedir only applies to PHP, so there are still some things remaining:
    My problem is that one customer can actually access other customer's directory as well
    From where can they access other customer's data? Web, ftp, php, cgi, shell?

    Your FTP server should be setup to jail the user to their home directory. If you allow CGI, you'll need to secure that Apache suExec.

    If you allow shell or other methods of access to your server, user, group and file permissions become a much bigger issue and you really need to use suPHP and Apache suExec to make sure users can only read/write their own files.
    http://www.srohosting.com
    Stability, redundancy and peace of mind

  6. #6
    Nah,
    It's not about the FTP server, all users are chrooted to their dir,
    The problem is only with PHP, but I solved it by using php's open_basedir directive per virtual site,

    thanks

  7. #7
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Originally posted by SROHost

    If you allow shell or other methods of access to your server, user, group and file permissions become a much bigger issue and you really need to use suPHP and Apache suExec to make sure users can only read/write their own files.
    Well, if you allow ssh you have alot more then just permission problems :X
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •