Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 26th April 2008, 15:58
berny berny is offline
Junior Member
 
Join Date: Nov 2007
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default Goal: user separation (but apache can't read what suPHP wrote)

Goal: user separation
My goal is to achieve user separation such that no user can read files from a different web or vhost, neither through ftp or a shell account. At the same time Apache needs to be able to server all the content it should serve. So ideally all files should be readable by the file-owner only (0400 or 0600).

Means: suPHP?
I tried to achieve this through the use of suPHP. I have suPHP configured to run any php-scripts with the user and group it belongs to. suPHP can execute all 0700 files and read and write all 0600 files. Up to here everything is going just as I expect it to.

Problem: apache2 can't read files
The problem begins when apache2 comes into play. It can not read any file that is not world-readable. Apache still seems to use it's default UID www-data and it's default GID www-data. Thus it can not read any files that are 0600 or 0640.

Can apache2 assume a different UID per Vhost?
I searched the apache2 website and the web and did not find any way to tell apache to take on a specific UID for a given Vhost. Is there a way to do this?

Help!
Is there anything I can do to achieve my goal? Maybe I'm trying to achieve the goal of user-separation the wrong way? What is the standard and/or smart way to do this?

My configuration:

apache2
Code:
zwei:~# apache2 -V
Server version: Apache/2.2.3
Server built:   Jan 27 2008 18:13:21
Server's Module Magic Number: 20051115:3
Server loaded:  APR 1.2.7, APR-Util 1.2.7
Compiled using: APR 1.2.7, APR-Util 1.2.7
Architecture:   32-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT=""
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="/var/run/apache2/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types"
 -D SERVER_CONFIG_FILE="/etc/apache2/apache2.conf"
Code:
zwei:~# cat /etc/apache2/httpd.conf 
LoadModule suphp_module       /usr/lib/apache2/modules/mod_suphp.so
suPHP
Code:
zwei:~# suphp -V
suPHP version 0.6.2
Code:
zwei:~# cat /etc/suphp.conf 
[global]
;Path to logfile
logfile=/var/log/suphp.log

;Loglevel
loglevel=info

;User Apache is running as
webserver_user=www-data

;Path all scripts have to be in
docroot=/

;Path to chroot() to before executing script
;chroot=/mychroot

; Security options
allow_file_group_writeable=true
allow_file_others_writeable=false
allow_directory_group_writeable=true
allow_directory_others_writeable=false

;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true

;Send minor error messages to browser
errors_to_browser=false

;PATH environment variable
env_path=/bin:/usr/bin

;Umask to set, specify in octal notation
umask=0077

; Minimum UID
min_uid=100

; Minimum GID
min_gid=100

[handlers]
;Handler for php-scripts
x-httpd-php=php:/home/admispconfig/ispconfig/tools/suphp/usr/bin/php-wrapper

;Handler for CGI-scripts
x-suphp-cgi=execute:!self
Vhosts_ispconfig.conf
zwei:~# cat /etc/apache2/vhosts/Vhosts_ispconfig.conf
Code:
[...]

#
#
######################################
# Vhost: www.domain.de:80
######################################
#
#
<VirtualHost 213.133.108.249:80>
SuexecUserGroup ardan web55
ServerName www.domain.de:80
ServerAdmin webmaster@domain.de
DocumentRoot /var/www/web55/web
ServerAlias ardan-heerkens.de
DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm
Alias  /cgi-bin/ /var/www/web55/cgi-bin/
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
ErrorLog /var/www/web55/log/error.log
AddType application/x-httpd-php .php .php3 .php4 .php5
<Directory /var/www/web55/web>
  suPHP_Engine on
  suPHP_UserGroup ardan web55
  AddHandler x-httpd-php .php .php3 .php4 .php5
  suPHP_AddHandler x-httpd-php
  SetEnv php_safe_mode On
</Directory>
Alias /error/ "/var/www/web55/web/error/"
ErrorDocument 400 /error/invalidSyntax.html
ErrorDocument 401 /error/authorizationRequired.html
ErrorDocument 403 /error/forbidden.html
ErrorDocument 404 /error/fileNotFound.html
ErrorDocument 405 /error/methodNotAllowed.html
ErrorDocument 500 /error/internalServerError.html
ErrorDocument 503 /error/overloaded.html
AliasMatch ^/~([^/]+)(/(.*))? /var/www/web55/user/$1/web/$3
AliasMatch ^/users/([^/]+)(/(.*))? /var/www/web55/user/$1/web/$3
</VirtualHost>
Reply With Quote
Sponsored Links
  #2  
Old 26th April 2008, 19:22
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,796
Thanks: 840
Thanked 5,612 Times in 4,423 Posts
 
Default

You can try to enable suexec under management > server > settings in ISPConfig, but as far as I know it will affect only scripts that were executed.

the default solution is to make your html pages and images (not the php scripts) world readable as the yshould be accessed trough the web interface anyway. Or you add the apache user to the group of the web, but that can be more insecure as this might make your php scripts also visible to the apache server itself.

Note: We are all able to read text in the default size.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Statistic not working mzo Installation/Configuration 49 20th April 2011 13:19
CENTOS 5 Ping Problem gAnDo Server Operation 11 28th March 2008 21:58
Ruby / FastCGI Problem Chad Server Operation 1 8th March 2008 21:38
log files cruz Technical 3 15th May 2007 15:35
spamassasin/clamAV not working Daisy Installation/Configuration 32 15th February 2007 01:09


All times are GMT +2. The time now is 03:51.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.