Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Linux
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Apache+PHP+ftp security

from [Kalevi Nyman] Network Security [Permanent Link]
Subject: Re: Apache+PHP+ftp security
Date: Mon, 28 Mar 2005 19:43:06 +0200 
Before you do anything have a look at 
http://www.mamboserver.com/

Its an excellent content management system well suited
for virtual domains. No FTP-hazzle! They have removed
the confusion component!

fre 2005-03-25 klockan 19.54 skrev abend:

Hi all,

I'm configuring a linux server which may act as our main hosting
server. This is, we provide hosting services for small business, and
we need to configure our linux server to host their web pages. Our
clients will upload their files by ftp (now it's vsftpd).

Our first purpose was setting the ftp server to upload the files to be
owned by the user which logged in and by group www-data (the files for
each virtual server is under /home/example/www, where example stands
for an example user), and umask set to 027. Our requirement is that
the user example does not belong to the www-data group. By this way we
get no problems about users reading another user php code, etc, but we
didn't find any ftp server which permits us do that (proftpd have a
GroupOwner directive which make uploaded files to be group-owned by
the group we want to, but the user needs to belong to that group,
which is not our intention). We searched for information on how to run
the ftp server (the child process after authentication of the user)
with the appropriate user but with pgid www-data, and make the files
owned by this group, but neither proftpd, wu-ftpd or vsftpd matched
this caracteristics.

Our last approach was making users belong to the www-data group. This
doesn't protect the php code of ones from other directly, but our
clients doesn't get shell access, and we thought we can configure PHP
safe_mode. The problem with this is that files created by a php script
are created to be owned by the user who runs apache: www-data; if we
want to read this files by another php script, owned by some user,
it'll fail according to our safe_mode configuration. We can't use
suExec because we're using mod_php, not cgi. I've readed a recent
thread in this same mailing list about this all, but it didn't help.

In order to solve my problem, my questions are:
- Can i run apache's child processes with an arbitrary user
(configured in a VirtualHost basis)? This solve the second problem,
but is this a good idea?
- Does anyone know how to do the first configuration works as
expected? This solves the problem (safe_mode not needed).
- any other ideas?

Yours, 
Roi Rodriguez
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Apache+PHP+ftp security, Shawn Parker
Next by Date:  RE: Apache+PHP+ftp security, Scott Fagg
Previous by Thread:  Re: Apache+PHP+ftp security, Shawn Parker
Next by Thread:  Re: Apache+PHP+ftp security, Mailinglists Address
Indexes:  [Date] [Thread] [Top] [All Lists]