Virtual Hosting Security

Marco Gonçalves marco at aces.pt
Tue Jul 29 10:12:57 PDT 2003 

Dear ISP collegues,

we are runing a couple of servers with FreeBSD that are serving multiple domains (virtual hosting) runing all comon services (web, email, dns, ftp, etc)

We run Apache as www user and www group and the common layout for the web directory is

/home/user1/www/
/home/user2/www/
/home/user3/www/

where the permissions on each home directory (user1, user2, etc) is 

r-xrwx---    www   usergroup

apache can enter in the directory and also group users members. So we can give ssh acess to users, that the user can only enter in his own directory and cannot browse other user directories

the problem is that we offer php4 as a mod_php4 for Apache and even though we didnt had (yet) no problem in theory is ease to set up a php script using filesystem functions to run, list and view file contents of other users...cause the script is runing as www user and this user has permissions to enter/read all users www directory.... how can i fix this? must i use suexec? does it run properly? do i have to put php as cgi only? what is the tradeoff in performance?


Other thing (maybe this shoul be on other email...) we are developping our own control panel, and for system password we are using a PHP script that uses poppassd on port 106 that does all the work. The problem is that i have to run poppasswd from inetd, and this sucks specially cause its the only service that i need inetd... can i run it from tcpserver? How? Where can i found good info on this (the documentation on DBernstein site really sucks for a not so experienced sys admin like me)? Is it safe (poppassd i mean)?


Well sorry for this huge mail and thanx in advance for all answers.

Best Regards,
 
Marco Gonçalves
Responsável Desenvolvimento
marco.goncalves at aces.pt

---------------------------------------------------------------------------------
       Lisboa / Sul
      Rua de São José, 149/159, Pisos 2 e 3
      1169-115 Lisboa
      Número Único: 707 22 10 40
      Fax 21 342 18 03
      www.aces.pt 

---------------------------------------------------------------------------------

More information about the freebsd-isp mailing list