[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] suggestion: chmod the files
- Subject: RE: [cobalt-security] suggestion: chmod the files
- From: Matthias Pigulla <mp@xxxxxxxxxxxxx>
- Date: Sun, 24 Sep 2000 23:44:42 +0200
I have addressed this issue several times, also in context with the RaQs and
PHP, please see the "php and raq2" thread, too.
Last time I had an idea what could be done; unfortunately, I got no replies
on it though I posted it two times. It would be nice if you could drop a few
lines what you think about the following... does it fix the problem?
> -----Original Message-----
> From: Matthias Pigulla
> Sent: Saturday, August 26, 2000 12:39 PM
> OK, I've been a bit off topic by now. Concerning our issue: What about
> setting the /home/siteX directories to httpd:siteX, chmod
> 2750, and all
> files below them to [user]:siteX and either 640/750 or
> 644/755 if they have
> to be httpd readable?
>
> I think this would block "foreign" users from entering other
> customers (yeah,
> sites = customers :) directories. The http daemon could get
> the directories
> for he owns them and does not need to be siteX group member.
> The siteX's are granted access by the siteX group they belong to.
> Admin would have to be part of all site groups, and he already is.
>
> I'm not sure wheter this would open another hole - you MUST
> make sure that
> NOBODY (at least no untrusted user) is able to run processes
> as http, or he
> could take over the whole site directory. So you must wrap all CGI
> processes, run PHP as wrapped CGI (performance :-() ...
Best regards,
Matthias
--
w e b f a c t o r y G m b H
Matthias Pigulla <mp@xxxxxxxxxxxxx> - Geschaeftsfuehrer
Lessingstr. 60 - D-53113 Bonn - Germany - www.webfactory.de
Fon +49(0)228-9114455 - Fax +49(0)228-9114499 - ICQ 6394233
> -----Original Message-----
> From: Florian Effenberger [mailto:florian.effenberger@xxxxxxxxxxxxx]
> Sent: Freitag, 15. September 2000 19:14
> To: cobalt-users@xxxxxxxxxxxxxxx; cobalt-security@xxxxxxxxxxxxxxx
> Subject: [cobalt-security] suggestion: chmod the files
>
>
> Hello,
>
> and another one :)
>
> I only give one very trusted customer Telnet access, but this user can
> see too much in my opinion. He can lis /home/sites and therefore see
> the URLs of our clients.
>
> Is it possible that you release a patch so /home/sites (and other
> directories!) can be listed only as root?
>
> Thanks a lot,
> Florian
>
>
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>