Re: virtual hosting methods

To: debian-isp@lists.debian.org
Subject: Re: virtual hosting methods
From: Mark Aitchison <mark@plain.co.nz>
Date: Mon, 26 Nov 2001 12:50:09 +1300
Message-id: <[🔎] 3C0183B1.9AD79047@plain.co.nz>
References: <[🔎] Pine.LNX.4.33.0111250026450.5478-100000@manhattan.pisitek.com> <[🔎] 1249428988.20011124184402@wpi.edu> <[🔎] 20011125122620.A16150@acentral.co.uk>

Gavin Hamill wrote:

> This is my biggest problem and a significant security hole :/
> 
> I have a directory /www containing all the vhosting directories, named
> domain.com, etc.
> 
> the entire directory tree is owned by a user called virtual, and
> everyone has CGI, PHP and SSI access.
> 
> In this way it would be very easy for anyone to upload a 'file manager'
> CGI and be able to change the documents of any other Vhost user :(

Why not have the owner of the files be somethingelse, and "virtual"
has group read rights; so to upload any file they would have an upload
web page which passes the job to the owner, somethingelse.  You wouldn't
need to create multiple real users, just two for the job (which could then
use sudo, and you'd have to lock-down that upload program well).

Mark Aitchison

-- 
phone:(064)3-364-5888       /\/\  _/\ /\
fax:  (064)3-364-5835     _/    \/   ^  \/\,__
System Administrator at:  Plain Communications
====<A "mailto:M.Aitchison@plain.co.nz";>======

Reply to:

References:
- Re: virtual hosting methods
  - From: Martin 'pisi' Paljak <pisi@pisitek.com>
- Re[2]: virtual hosting methods
  - From: "Kevin J. Menard, Jr." <kmenard@WPI.EDU>
- Re: virtual hosting methods
  - From: Gavin Hamill <gdh@acentral.co.uk>

Prev by Date: Installing PPP 2.4.0
Next by Date: Re: rogue Chinese crawler
Previous by thread: Re: virtual hosting methods
Next by thread: Re: virtual hosting methods
Index(es):
- Date
- Thread