how do you setup files and folders rights in a shared web hosting environment ? do you use apache + suexec ? how can you prevent members of group "www" to read files belonging to other users in the system ? (through ssh or php)
3 Answers
One half of the solution is to chroot jail users into their respective DocumentRoots when they login to transfer files.
This can be achieved easily with SSH (SFTP/SCP) by using the ChrootDirectory directive.
Edit:
As the above defacto practice has been oddly down-voted I may as well provide the other half too.
Generally the only way to prevent Apache scripting modules from accessing files on the FS that they shouldn't, is to run them through suEXEC as CGI. Which is pretty horrible in my opinion. You will then need to separately ensure that each users files are restricted only to their own UID/GID ie. umask 027. Alternatively there are some third-party modules that will do this in a box for you such as suPHP.
- This will still not keep apache from being able to read the files of another user. After all you can still do a find for files with appropriate permissions and then simply read them...serverhorror– serverhorror2009-06-17 11:45:49 +00:00Commented Jun 17, 2009 at 11:45
- Indeed. That's why it's only one half of the solution.Dan Carley– Dan Carley2009-06-17 12:02:58 +00:00Commented Jun 17, 2009 at 12:02
The most common practice would be that each user in the shared web hosting environment would have their own UID (username) & GID (group) separate from that of the one the Apache web server runs at. You can use suexec to keep CGIs running as the same permissions as the user and not as the web server user/group. PHP will do this already for you by running as the user and not allowing the code to access something it doesn't have permissions to.
The problem will be in precenting members from being able to read files. As the permissions have to be open enough that the Apace server can read them to be able to serve them. I would recommend if each user has their own UID/GID then 0664 for files and 0775 for directories. That gives 'others' read access only.
- 1but it's still read only. i mean, you can still read configuration files and passwords in others document roots...gpilotino– gpilotino2009-06-17 11:02:02 +00:00Commented Jun 17, 2009 at 11:02
- Yes... the Apache DocumentRoot has to be read only... If you have configuration files and passwords than they can be put in another directory outside the DocumentRoot and permissions set more restrictive so long as the pages calling them in the DocumentRoot can access them. This is a problem when you're using a shared web environment... Generally if I need something that high security I get a dedicated server or VPS not shared.Jeremy Bouse– Jeremy Bouse2009-06-17 23:15:50 +00:00Commented Jun 17, 2009 at 23:15
FreeBSD jails are an option.
- In what possible way are jails a solution for shared web hosting?2009-06-17 12:40:54 +00:00Commented Jun 17, 2009 at 12:40
- Shared doesn't necessarily mean shared IP. Providing multiple "shared" hosting accounts on a physical box can be provided with jails.LukeR– LukeR2009-06-17 12:59:26 +00:00Commented Jun 17, 2009 at 12:59
- or maybe linux-vserver.org/Welcome_to_Linux-VServer.org ?gpilotino– gpilotino2009-06-18 10:58:43 +00:00Commented Jun 18, 2009 at 10:58