[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: virtual hosting methods

Gavin Hamill wrote:

> This is my biggest problem and a significant security hole :/
> I have a directory /www containing all the vhosting directories, named
> domain.com, etc.
> the entire directory tree is owned by a user called virtual, and
> everyone has CGI, PHP and SSI access.
> In this way it would be very easy for anyone to upload a 'file manager'
> CGI and be able to change the documents of any other Vhost user :(

Why not have the owner of the files be somethingelse, and "virtual"
has group read rights; so to upload any file they would have an upload
web page which passes the job to the owner, somethingelse.  You wouldn't
need to create multiple real users, just two for the job (which could then
use sudo, and you'd have to lock-down that upload program well).

Mark Aitchison

phone:(064)3-364-5888       /\/\  _/\ /\
fax:  (064)3-364-5835     _/    \/   ^  \/\,__
System Administrator at:  Plain Communications
====<A "mailto:M.Aitchison@plain.co.nz";>======

Reply to: