[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] RaQ2: Default user access/site permissions
- Subject: RE: [cobalt-security] RaQ2: Default user access/site permissions
- From: Matthias Pigulla <mp@xxxxxxxxxxxxx>
- Date: Mon, 4 Sep 2000 15:42:31 +0200
Hi folks,
I have been waiting a week now... I'd like to hear any comments on this
workaround - if it is one? :-).
Thanks a lot,
Matthias
> -----Original Message-----
> From: Matthias Pigulla
> Sent: Saturday, August 26, 2000 12:39 PM
> OK, I've been a bit off topic by now. Concerning our issue: What about
> setting the /home/siteX directories to httpd:siteX, chmod
> 2750, and all
> files below them to [user]:siteX and either 640/750 or
> 644/755 if they have
> to be httpd readable?
>
> I think would block "foreign" users from entering other
> customers (yeah,
> sites = customers :) directories. The http daemon could get
> the directories
> for he owns them and does not need to be siteX group member.
> The siteX's are granted access by the siteX group they belong to.
> Admin would have to be part of alle site groups, and he already is.
>
> I'm not sure wheter this would open another hole - you MUST
> make sure that
> NOBODY (at least no untrusted user) is able to run processes
> as http, or he
> could take over the whole site directory. So you must wrap all CGI
> processes.
--
w e b f a c t o r y G m b H
Matthias Pigulla <mp@xxxxxxxxxxxxx> - Geschaeftsfuehrer
Lessingstr. 60 - D-53113 Bonn - Germany - www.webfactory.de
Fon +49(0)228-9114455 - Fax +49(0)228-9114499 - ICQ 6394233