Mailing List Archive

If this is done on a linux or unix platform here is how I did it, and everyone can tell me if it is not secure.

I run the apache as user=www and group=webgroup, therefore if I make every user that will be hosting pages, I can set the UID of the the person's folder to their UID, and I set the user's GID in the /etc/passwd file to 'webgroup', and then I do a chmod -R o-x on the user's directory.

So in summary here is what you have:

drwxr-x--- This means that only the folders user can read, write, and execute, but the group that is running apache has permission to read and execute. What this means is that multiple people can log onto your ftp site, see that there are other sites around, but they can't even do an 'ls' on any of the directories (except for the one they own).

The key thing here is making sure that you have the /etc/passwd file and /etc/group and /path/to/httpd.conf (for the user and group that runs apache).

Would appreciate any comments or if I am all fudged up.

Paul

-----Original Message-----
From: Fernando Reuter Wendt [mailto:fernando@admijui.unijui.tche.br]
Sent: Thursday, February 21, 2002 12:20 PM
To: apacheUsersList (E-mail)
Subject: Protect directory

Hi,

how can i protect a directory, to make impossible to users get, view or list
what´s inside it? Sample: if i have one directory called ssfiles, on the
htdocs root, what i must do to make it not accessible to users view when
link to http://www.site.com/ssfiles , and also redirect them to another
link, like the index one (http://www.site.com)?

Thank you,

+-------------------------
Fernando A. R. Wendt
Webmaster UNIJUÍ
http://www.unijui.tche.br
-------------------------+


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Ahh, I see what you are trying to do. Look in your httpd.conf file and find the <Directory "/path/to/ssfiles> and in this directive ensure that you have listed the -Indexes option. So yours would look kinda like this.

<Directory "/path/to/ssfiles>
Options -Indexes
Order allow,deny
Allow from all
</Directory>

and then for the redirect

this also depends if you are using virtual hosts, assuming you are put the following into your <VirtualHost> directive block

<VirtualHost www.domainname.com>
Redirect /ssfiles http://www.domainname.com
</VirtualHost>

Obviously a lot more stuff goes in the virtual host directive block, but I am sure you know that, and I am not even sure if you are using virtual hosts.

If you are not, just put the redirect statement at the bottom of your httpd.conf file or where ever you feel comfortable.

Paul

-----Original Message-----
From: Fernando Reuter Wendt [mailto:fernando@admijui.unijui.tche.br]
Sent: Thursday, February 21, 2002 2:26 PM
To: users@httpd.apache.org
Subject: RES: Protect directory

Yes, the system is unix based. And i have tought about the file system
permitions (user group), and not sure that this can solve that. I belive in
some apache solution.

Fernando Wendt

-----Mensagem original-----
De: Paul Stephenson [mailto:PStephenson@ficgroup.com]
Enviada em: quinta-feira, 21 de fevereiro de 2002 17:17
Para: users@httpd.apache.org
Assunto: RE: Protect directory


If this is done on a linux or unix platform here is how I did it, and
everyone can tell me if it is not secure.

I run the apache as user=www and group=webgroup, therefore if I make every
user that will be hosting pages, I can set the UID of the the person's
folder to their UID, and I set the user's GID in the /etc/passwd file to
'webgroup', and then I do a chmod -R o-x on the user's directory.

So in summary here is what you have:

drwxr-x--- This means that only the folders user can read, write, and
execute, but the group that is running apache has permission to read and
execute. What this means is that multiple people can log onto your ftp
site, see that there are other sites around, but they can't even do an 'ls'
on any of the directories (except for the one they own).

The key thing here is making sure that you have the /etc/passwd file and
/etc/group and /path/to/httpd.conf (for the user and group that runs
apache).

Would appreciate any comments or if I am all fudged up.

Paul

-----Original Message-----
From: Fernando Reuter Wendt [mailto:fernando@admijui.unijui.tche.br]
Sent: Thursday, February 21, 2002 12:20 PM
To: apacheUsersList (E-mail)
Subject: Protect directory

Hi,

how can i protect a directory, to make impossible to users get, view or list
what´s inside it? Sample: if i have one directory called ssfiles, on the
htdocs root, what i must do to make it not accessible to users view when
link to http://www.site.com/ssfiles , and also redirect them to another
link, like the index one (http://www.site.com)?

Thank you,

+-------------------------
Fernando A. R. Wendt
Webmaster UNIJUÍ
http://www.unijui.tche.br
-------------------------+


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Wouldnt it be better to avoid giving users the ability to see that other
sites exist altogether?

On Thu, 21 Feb 2002, Paul Stephenson wrote:

> If this is done on a linux or unix platform here is how I did it, and everyone can tell me if it is not secure.
>
> I run the apache as user=www and group=webgroup, therefore if I make every user that will be hosting pages, I can set the UID of the the person's folder to their UID, and I set the user's GID in the /etc/passwd file to 'webgroup', and then I do a chmod -R o-x on the user's directory.
>
> So in summary here is what you have:
>
> drwxr-x--- This means that only the folders user can read, write, and execute, but the group that is running apache has permission to read and execute. What this means is that multiple people can log onto your ftp site, see that there are other sites around, but they can't even do an 'ls' on any of the directories (except for the one they own).
>
> The key thing here is making sure that you have the /etc/passwd file and /etc/group and /path/to/httpd.conf (for the user and group that runs apache).
>
> Would appreciate any comments or if I am all fudged up.
>
> Paul
>
> -----Original Message-----
> From: Fernando Reuter Wendt [mailto:fernando@admijui.unijui.tche.br]
> Sent: Thursday, February 21, 2002 12:20 PM
> To: apacheUsersList (E-mail)
> Subject: Protect directory
>
> Hi,
>
> how can i protect a directory, to make impossible to users get, view or list
> what´s inside it? Sample: if i have one directory called ssfiles, on the
> htdocs root, what i must do to make it not accessible to users view when
> link to http://www.site.com/ssfiles , and also redirect them to another
> link, like the index one (http://www.site.com)?
>
> Thank you,
>
> +-------------------------
> Fernando A. R. Wendt
> Webmaster UNIJUÍ
> http://www.unijui.tche.br
> -------------------------+
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Let me see if I get this straight... this is a viable concept for a
situaiton I am trying to employ here soon...

So, say you have 5 websites on the same machine, differentiated with virtual
hosts. you essentially allow Apache to launch using a common group, and then
have each of the websites correspond to "real" users on the system. So, that
as people visit the website Apache is spawning a process that correpsonds to
their particular user. (Trying to simplify this into three words or less)
Each website has a corresponding user account, that essentially gets
activated as people visit the particular site.

I see the benefits of that as far as being able to chroot users and lock
them in with file perms.

but, how would apache handle that in the conf file, I mean if Apache starts
under nobody/nobody wouldnt each of its children do the same or is this
something that can be handled in the virtual hosts directive...

Or am I just completely off base here... Feel free to tell me to shut - up
and get a beer....

Dan


----- Original Message -----
From: <arrchie@cosmic.net.au>
To: "Paul Stephenson" <PStephenson@ficgroup.com>
Cc: <users@httpd.apache.org>
Sent: Thursday, February 21, 2002 4:16 PM
Subject: RE: Protect directory


Wouldnt it be better to avoid giving users the ability to see that other
sites exist altogether?

On Thu, 21 Feb 2002, Paul Stephenson wrote:

> If this is done on a linux or unix platform here is how I did it, and
everyone can tell me if it is not secure.
>
> I run the apache as user=www and group=webgroup, therefore if I make every
user that will be hosting pages, I can set the UID of the the person's
folder to their UID, and I set the user's GID in the /etc/passwd file to
'webgroup', and then I do a chmod -R o-x on the user's directory.
>
> So in summary here is what you have:
>
> drwxr-x--- This means that only the folders user can read, write, and
execute, but the group that is running apache has permission to read and
execute. What this means is that multiple people can log onto your ftp
site, see that there are other sites around, but they can't even do an 'ls'
on any of the directories (except for the one they own).
>
> The key thing here is making sure that you have the /etc/passwd file and
/etc/group and /path/to/httpd.conf (for the user and group that runs
apache).
>
> Would appreciate any comments or if I am all fudged up.
>
> Paul
>
> -----Original Message-----
> From: Fernando Reuter Wendt [mailto:fernando@admijui.unijui.tche.br]
> Sent: Thursday, February 21, 2002 12:20 PM
> To: apacheUsersList (E-mail)
> Subject: Protect directory
>
> Hi,
>
> how can i protect a directory, to make impossible to users get, view or
list
> what´s inside it? Sample: if i have one directory called ssfiles, on the
> htdocs root, what i must do to make it not accessible to users view when
> link to http://www.site.com/ssfiles , and also redirect them to another
> link, like the index one (http://www.site.com)?
>
> Thank you,
>
> +-------------------------
> Fernando A. R. Wendt
> Webmaster UNIJUÍ
> http://www.unijui.tche.br
> -------------------------+
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Sounds about right to me.. You can set the user per virtual host however.

Something like this
User username
Group username

You could make a group for the user, or you could just use a group for all
users if you dont want the extra groups on your system.


I hope that make sense:)

Dave
On Thu, 21 Feb 2002, Daniel G. wrote:

> Let me see if I get this straight... this is a viable concept for a
> situaiton I am trying to employ here soon...
>
> So, say you have 5 websites on the same machine, differentiated with virtual
> hosts. you essentially allow Apache to launch using a common group, and then
> have each of the websites correspond to "real" users on the system. So, that
> as people visit the website Apache is spawning a process that correpsonds to
> their particular user. (Trying to simplify this into three words or less)
> Each website has a corresponding user account, that essentially gets
> activated as people visit the particular site.
>
> I see the benefits of that as far as being able to chroot users and lock
> them in with file perms.
>
> but, how would apache handle that in the conf file, I mean if Apache starts
> under nobody/nobody wouldnt each of its children do the same or is this
> something that can be handled in the virtual hosts directive...
>
> Or am I just completely off base here... Feel free to tell me to shut - up
> and get a beer....
>
> Dan
>
>
> ----- Original Message -----
> From: <arrchie@cosmic.net.au>
> To: "Paul Stephenson" <PStephenson@ficgroup.com>
> Cc: <users@httpd.apache.org>
> Sent: Thursday, February 21, 2002 4:16 PM
> Subject: RE: Protect directory
>
>
> Wouldnt it be better to avoid giving users the ability to see that other
> sites exist altogether?
>
> On Thu, 21 Feb 2002, Paul Stephenson wrote:
>
> > If this is done on a linux or unix platform here is how I did it, and
> everyone can tell me if it is not secure.
> >
> > I run the apache as user=www and group=webgroup, therefore if I make every
> user that will be hosting pages, I can set the UID of the the person's
> folder to their UID, and I set the user's GID in the /etc/passwd file to
> 'webgroup', and then I do a chmod -R o-x on the user's directory.
> >
> > So in summary here is what you have:
> >
> > drwxr-x--- This means that only the folders user can read, write, and
> execute, but the group that is running apache has permission to read and
> execute. What this means is that multiple people can log onto your ftp
> site, see that there are other sites around, but they can't even do an 'ls'
> on any of the directories (except for the one they own).
> >
> > The key thing here is making sure that you have the /etc/passwd file and
> /etc/group and /path/to/httpd.conf (for the user and group that runs
> apache).
> >
> > Would appreciate any comments or if I am all fudged up.
> >
> > Paul
> >
> > -----Original Message-----
> > From: Fernando Reuter Wendt [mailto:fernando@admijui.unijui.tche.br]
> > Sent: Thursday, February 21, 2002 12:20 PM
> > To: apacheUsersList (E-mail)
> > Subject: Protect directory
> >
> > Hi,
> >
> > how can i protect a directory, to make impossible to users get, view or
> list
> > what´s inside it? Sample: if i have one directory called ssfiles, on the
> > htdocs root, what i must do to make it not accessible to users view when
> > link to http://www.site.com/ssfiles , and also redirect them to another
> > link, like the index one (http://www.site.com)?
> >
> > Thank you,
> >
> > +-------------------------
> > Fernando A. R. Wendt
> > Webmaster UNIJUÍ
> > http://www.unijui.tche.br
> > -------------------------+
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

>From: "Paul Stephenson" <PStephenson@ficgroup.com>
>To: <users@httpd.apache.org>
>Sent: Thursday, February 21, 2002 12:16 PM
>Subject: RE: Protect directory
>
>
>If this is done on a linux or unix platform here is how I did it, and
>everyone can tell me if it is not secure.
>
>I run the apache as user=www and group=webgroup, therefore if I make
>every user that will be hosting pages, I can set the UID of the the
>person's folder to their UID, and I set the user's GID in the
>/etc/passwd file to 'webgroup', and then I do a chmod -R o-x on the
>user's directory.
>
>So in summary here is what you have:
>
>drwxr-x--- This means that only the folders user can read, write, and
>execute, but the group that is running apache has permission to read
>and execute. What this means is that multiple people can log onto
>your ftp site, see that there are other sites around, but they can't
>even do an 'ls' on any of the directories (except for the one they
>own).

This is safe if you're dealing with plain HTML, but if you have sort of
dynamic page generation (CGI, PHP, PERL) there is a MAJOR flaw in this
security setup and no easy way to fix it (unless you're willing to use
suEXEC).

Without suEXEC (or Apache 2.0's horribly broken perchild handler which won't
even compile in beta 3, though it would be be the better approach if it
works), all of your users' scripts will run as the webserver process. This
means they have write access to anything that Apache does. It also means
that, since Apache can read all the web directories, so could the scripts
the users write.

For example, say one user has a script that accesses a database. It contains
the database username and password somewhere within that page so the
connection can be made. It would be trivial for another user to gain access
to the source for that script and thus obtain the username/password.

-- Daniel Grace




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

What I do is set the VirtualHost directories permissions
to 770 drwxrwx--- and set www (Apache) as the user for
those directories & make the group the domain name. Then
each person who needs access to that site gets added to
the domain name group.

That way only Apache & the appropriate users of the
domain have access to the website files. Anyone else in
another group can't see the files on the server except
through the Internet as appropriate.

There is probably some major flaw in this that I'm
overlooking but I haven't found it yet.


-=- RuneImp
ImpTech - Web Design, Hosting & Computer Tech
http://imptech.net
rune@imptech.net


----- Original Message -----
From: "Daniel Grace" <rubein@earthlink.net>
To: <users@httpd.apache.org>
Sent: Thursday, February 21, 2002 3:43 PM
Subject: Re: Protect directory


>From: "Paul Stephenson" <PStephenson@ficgroup.com>
>To: <users@httpd.apache.org>
>Sent: Thursday, February 21, 2002 12:16 PM
>Subject: RE: Protect directory
>
>
>If this is done on a linux or unix platform here is how I did it, and
>everyone can tell me if it is not secure.
>
>I run the apache as user=www and group=webgroup, therefore if I make
>every user that will be hosting pages, I can set the UID of the the
>person's folder to their UID, and I set the user's GID in the
>/etc/passwd file to 'webgroup', and then I do a chmod -R o-x on the
>user's directory.
>
>So in summary here is what you have:
>
>drwxr-x--- This means that only the folders user can read, write, and
>execute, but the group that is running apache has permission to read
>and execute. What this means is that multiple people can log onto
>your ftp site, see that there are other sites around, but they can't
>even do an 'ls' on any of the directories (except for the one they
>own).

This is safe if you're dealing with plain HTML, but if you have sort of
dynamic page generation (CGI, PHP, PERL) there is a MAJOR flaw in this
security setup and no easy way to fix it (unless you're willing to use
suEXEC).

Without suEXEC (or Apache 2.0's horribly broken perchild handler which won't
even compile in beta 3, though it would be be the better approach if it
works), all of your users' scripts will run as the webserver process. This
means they have write access to anything that Apache does. It also means
that, since Apache can read all the web directories, so could the scripts
the users write.

For example, say one user has a script that accesses a database. It contains
the database username and password somewhere within that page so the
connection can be made. It would be trivial for another user to gain access
to the source for that script and thus obtain the username/password.

-- Daniel Grace


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org