how do you setup files and folders rights in a shared web hosting environment ? do you use apache + suexec ? how can you prevent members of group "www" to read files belonging to other users in the system ? (through ssh or php)
Asked
Active
Viewed 304 times
3 Answers
1
One half of the solution is to chroot jail users into their respective DocumentRoots when they login to transfer files.
This can be achieved easily with SSH (SFTP/SCP) by using the ChrootDirectory directive.
Edit:
As the above defacto practice has been oddly down-voted I may as well provide the other half too.
Generally the only way to prevent Apache scripting modules from accessing files on the FS that they shouldn't, is to run them through suEXEC as CGI. Which is pretty horrible in my opinion. You will then need to separately ensure that each users files are restricted only to their own UID/GID ie. umask 027. Alternatively there are some third-party modules that will do this in a box for you such as suPHP.
Dan Carley
- 25,617
- 5
- 53
- 70
-
This will still not keep apache from being able to read the files of another user. After all you can still do a find for files with appropriate permissions and then simply read them... – serverhorror Jun 17 '09 at 11:45
-
Indeed. That's why it's only one half of the solution. – Dan Carley Jun 17 '09 at 12:02
0
The most common practice would be that each user in the shared web hosting environment would have their own UID (username) & GID (group) separate from that of the one the Apache web server runs at. You can use suexec to keep CGIs running as the same permissions as the user and not as the web server user/group. PHP will do this already for you by running as the user and not allowing the code to access something it doesn't have permissions to.
The problem will be in precenting members from being able to read files. As the permissions have to be open enough that the Apace server can read them to be able to serve them. I would recommend if each user has their own UID/GID then 0664 for files and 0775 for directories. That gives 'others' read access only.
Jeremy Bouse
- 11,341
- 2
- 28
- 40
-
1but it's still read only. i mean, you can still read configuration files and passwords in others document roots... – gpilotino Jun 17 '09 at 11:02
-
Yes... the Apache DocumentRoot has to be read only... If you have configuration files and passwords than they can be put in another directory outside the DocumentRoot and permissions set more restrictive so long as the pages calling them in the DocumentRoot can access them. This is a problem when you're using a shared web environment... Generally if I need something that high security I get a dedicated server or VPS not shared. – Jeremy Bouse Jun 17 '09 at 23:15
0
FreeBSD jails are an option.
LukeR
- 3,126
- 2
- 30
- 25
-
-
Shared doesn't necessarily mean shared IP. Providing multiple "shared" hosting accounts on a physical box can be provided with jails. – LukeR Jun 17 '09 at 12:59
-