I'm pretty new at this. So I figured out that apache2 starts processes as www-data user. Suppose this user then starts untrusted code. What if I wanted to disallow this user to read any files (like /etc/fstab for example). How would I go about this? Ubuntu 11.04 by the way.
Asked
Active
Viewed 645 times
2 Answers
4
Are there secrets in /etc/fstab you don't want users reading?
In general, you'd remove r access for others on the files, but fstab contain no secrets so you just likely to break things.
Specifically with Apache, you probably have the option to run it in a chroot, so it can't read outside of /var/www or where ever your httpd lives.
Alex Holst
- 2,240
- 1
- 15
- 13
-
I was hoping I coud set read privileges per user instead of per files. Chroot is not an option since it looks like you can't run executables since they can't find shared libraries under new root. – ren Sep 18 '11 at 12:58
-
1I wasn't suggesting you create a full jail for every application, rather the application you need has support for the chroot(2) call. Apache 1.3 and most other daemons in OpenBSD are examples of this. Instead, if you want to set read privs per user, you'd need something along the lines of SELinux or the TrustedBSD efforts for FreeBSD. – Alex Holst Sep 22 '11 at 05:48
1
You could deny by chmoding those files so that www-data user can't read them.
One of tricks you could use would be to change group of those files to www-data group and set mod so that group can't read the files.
$ chgrp www-data /etc/fstab
$ chmod g-rwx /etc/fstab
From php side you can use open_basedir which would in some cases prevent reading files outside path set as open_basedir
Hrvoje Špoljar
- 5,245
- 26
- 42