[ale] Apache Security Question

Chris Coleman chriscoleman at mail.clayton.edu
Mon Jul 8 16:50:33 EDT 2002 

Not sure of the best way to do it, however, the first thing that jumps out to me is that your permissions are too open. You have given others write permissions to the home directories. All they need is read and execute. So your chmod can be 755 instead of 777.  Two ideas :
 
1. Red Hat uses User Private Groups. Each user is a group by them selves. You could add nobody to each UPG by editing /etc/groups. Then your permissions could be 750 on all the files and directories. Since other users will not be a member of the group, then they can not read the directories.
 
2. You could give each user a restricted shell which prevents them from changing directories. However, I think they can still edit files if they know the path to those files. So again permissions are important.
 
 
Chris Coleman

	-----Original Message----- 
	From: Prasanna Subash [mailto:subash at skyline.external.hp.com] 
	Sent: Mon 7/8/2002 4:19 PM 
	To: ale at ale.org 
	Cc: 
	Subject: [ale] Apache Security Question
	
	

	Hi all,
	       
	        I run apache at home on my mdk-8.2 box. This is the small security problem
	that I have.
	
	Each user has his webpage at
	
	/home/USERNAME/web/
	
	and I use NameVirtualHost directives to get to the directory for different
	users.
	
	However since Apache( httpd ) runs as nobody:nobody its not able to read those
	directories and I get a permission denied.
	
	My solution was to chmod 777 /home/USERNAME and
	chmod -r 777 /home/USERNAME/web
	
	But this solution is inelegant as each user can see each others files by just
	changing directories. .htaccess files have no meaning at this point between
	users on the same box.
	
	How can I solve this ?
	
	--
	------------------------------------------------------------------------
	Prasanna Subash            |
	Linux, the choice          | Noone ever built a statue to a critic.
	of a GNU generation   -o)  |
	Kernel 2.5.18          /\  |
	on a i686             _\_v |
	                           |
	------------------------------------------------------------------------
	
	
	---
	This message has been sent through the ALE general discussion list.
	See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
	sent to listmaster at ale dot org.

More information about the Ale mailing list