Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
K
K
krotish2011-03-02 01:16:32
Apache HTTP Server
krotish, 2011-03-02 01:16:32

Web server security: prevent the site from getting out of its folder

Good evening!

Actually this question: it is necessary to forbid a certain site apache to get out beyond its DocumentRoot folder

. We have: a server with debian, apache2-mpm-itk

User testuser
is made chroot, through ssh in / home the user sees only himself. physically, the user is in /home/jail/home/testuser DocumentRoot folder for Apache - /home/jail/home/testuser/www in the apache config of the testuser virtual host , which, in theory, should be done so that Apache for the testuser site starts from his name. However, let's say that by running the testuser site script, you can clearly see the contents of the Apache config.
[email protected]:~$ ls /home
testuser



AssignUserId testuser testuser

#!/usr/bin/perl
print "Content-type: text/html\n\n";
open FILE, "/etc/apache2/apache2.conf" or die $!;
print <"FILE">;

How to avoid it? How can you make it so that scripts run on the testuser site cannot go beyond the testyuser environment?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

7 answer(s)
Report
E
exIV, 2011-03-02
@exIV

You are confusing sour with hot :) It doesn't matter where and what lies, the main thing is who and what rights to "it" :)
If you have rights for all users to read the /etc/apache2/apache2.conf file, then it will be be read by any user :) and what does the site have to do with it?
Don't want testuser to read /etc/apache2/apache2.conf, remove permissions and that's it :)

Report
H
hshhhhh, 2011-03-02
@hshhhhh

In fra there is such a thing as jail, in Linux it is, in my opinion. can be solved through Selinux.

Report
J
Jazzist, 2011-03-02
@Jazzist

"Get out" needs to be specified. exiv.habrahabr.ru is right.

Report
P
pentarh, 2011-03-03
@pentarh

All this must be configured through apparmor/selinux. Hemorrhoid is still the same, but it's worth it.
Apache in chrut to lay down more expensively. It is necessary to recreate the entire local structure of binaries and configs for each site. It's easier to scatter sites on openvz containers.

Report
W
wartur, 2011-03-18
@wartur

In debian, by default, read permissions are incorrectly configured, you need to change that reading etc for everyone except root is prohibited - this will solve all problems.
chroot is not required for virtual hosts, it was created for something else, for this there is mpm-itk itself.

Report
V
Vladimir Chernyshev, 2011-03-03
@VolCh

Install mod_chroot for apache if I understand correctly what you want

Similar questions
G
Good Samaritan2017-08-02 13:35:27
I don’t know how to enter the application id in the letter template? 2Reply
A
Alan Chernov2015-09-07 21:12:23
Solaris OS what kind of OS? where can i find the review? 3Reply
M
Mikhail2017-05-26 11:50:33
Filtering Apache virtual hosts (sites) on the same IP? 2Reply
A
Alexey2015-06-17 09:42:28
How to organize a local WAMP server for one site? 3Reply
L
legat882017-05-29 20:49:25
How to scrape a website that is only accessible via vpn? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question