Re: virtual hosting methods
On Sat, Nov 24, 2001 at 06:44:02PM -0500, Kevin J. Menard, Jr. wrote:
> MpP> For simple masshosting I still suggest mod_vhost.
> Which brings me back to my original question. For simple masshosting, I
> would agree. But what about a system where some vhosts have CGI or SSI
> access for example, and some don't. Would the former setup be better, or
> the latter?
This is my biggest problem and a significant security hole :/
I have a directory /www containing all the vhosting directories, named
the entire directory tree is owned by a user called virtual, and
everyone has CGI, PHP and SSI access.
In this way it would be very easy for anyone to upload a 'file manager'
CGI and be able to change the documents of any other Vhost user :(
People have pointed me at sudo in the past but I don't want to start
creating /etc/passwd users - that was the whole point of the virtual
system - no real system users for www, ftp or mail!
Any ideas, anyone? We haven't had any problems to date because none of
our clients know anything / much about scripting...