View previous topic :: View next topic |
Author |
Message |
Jesse Tux's lil' helper
Joined: 24 Apr 2002 Posts: 148
|
Posted: Fri Nov 08, 2002 4:25 pm Post subject: Getting around linux maxgroup limit ... |
|
|
I run a small linux based server at my school where we can give out accounts to whomever really wants one. All users have the ability to specify a public_html directory to setup a webpage etc. AND run their own cgi scripts, php stuff, etc.
The problem is that as long as one user knows the exact name of that cgi script of another user, they can view it's source (assuming public_html perms. of 751) I've added a www-data user which apache runs under and I planned on making www-data a member of each user's group. (BTW I have groups for each user ...) This works fine for the first 32 users who are then able to use 750 as thier permissions. This is great ... but for the other 40 users I have it really sucks.
My question is how do you guys do it? How do you run a large system, 70+ users, each with a webpage that is totally unviewable by other users (expect through a browser of course) ????
Many of my users are students with HTML assignments so any help securing their directories would greatly be appreciated. |
|
Back to top |
|
|
klieber Bodhisattva
Joined: 17 Apr 2002 Posts: 3657 Location: San Francisco, CA
|
Posted: Fri Nov 08, 2002 5:39 pm Post subject: Re: Getting around linux maxgroup limit ... |
|
|
Jesse wrote: | My question is how do you guys do it? How do you run a large system, 70+ users, each with a webpage that is totally unviewable by other users (expect through a browser of course) ???? |
Look at CGIWrap and/or Apache's suEXEC. Both allow you to set sensitive files to 700 and still have them work correctly. Be extremely, extremely careful with both programs, however. Misconfigurations can leave the entire server open to r00ting and lord knows schools are breeding grounds for script kiddies...
--kurt _________________ The problem with political jokes is that they get elected |
|
Back to top |
|
|
Jesse Tux's lil' helper
Joined: 24 Apr 2002 Posts: 148
|
Posted: Sat Nov 09, 2002 6:44 am Post subject: |
|
|
What about ACL's? Can they offer me the ability to just add www-data as a reader to all files (say all php and cgi scripts)? suEXEC scares me as their page has warnings everywhere. Haven't had time to look at CGIWrap yet ... does it only handle cgi?
Any one have concrete pointers of how to set this up and maybe an explanation of what your setup actually accomplishes now that it couldn't before (security wise)? |
|
Back to top |
|
|
rac Bodhisattva
Joined: 30 May 2002 Posts: 6553 Location: Japanifornia
|
Posted: Sat Nov 09, 2002 7:05 am Post subject: |
|
|
Jesse wrote: | suEXEC scares me as their page has warnings everywhere. |
Have a look at your apache error log...I bet you have suEXEC running already. _________________ For every higher wall, there is a taller ladder |
|
Back to top |
|
|
Jesse Tux's lil' helper
Joined: 24 Apr 2002 Posts: 148
|
Posted: Sat Nov 09, 2002 7:07 am Post subject: |
|
|
you know ... that's funny because about 5 seconds ago I did notice ... that's definatly my bad That also explains why someone trying to execute a script with 777 perms got nothing; it doesnt match the security policy of suExec .... maybe I'll play around with that a bit. ACL will require a kernel recompile for me right now anyhow |
|
Back to top |
|
|
|