[PLUG] I am looking for some different opinions about setting up groups

Wil Cooley wcooley at nakedape.cc
Sat Feb 22 13:59:02 UTC 2003


On Sat, 2003-02-22 at 09:03, Kenneth G. Stephens wrote:

> Yes.  In order for the server to serve the site, it needs access.  If
> you don't add it to the groups you will need to add world read access. 
> This sounds like you don't want none group members to see the site.

This is a very bad idea.  The problem with putting Apache in their group
is that any vulnerability in a process running as Apache (Apache itself,
mod_php, mod_perl, mod_python, Java, mod_ssl, any other CGIs or
modules...) immediately gets write access to every one of your
customers' web sites.

There are better ways around this.  Assuming they'll be getting in with
FTP, you can use PureFTPd, which will make a "virtual chroot" into their
home directories, but will follow symlinks out, and IIRC only if they're
owned by an appropriate user, such as root.  So, you chroot them into
their home directories and make symlinks out to their web directories.

Given the choice between letting people see each other's documents and
giving Apache write access, I'd definitely choose the former.  Besides,
Apache only needs world-execute on directories to get access to the
files, unless they're providing open directories.  This should work to
set most directories properly:

  find /path/to/virtual/host -type -d -exec chmod 771 {} \;

And I tend to prefer to name groups after the group, rather than
something generic, like 'group1'.  Unless you're mixing in much older
Linux systems or proprietary UNIX systems, the limit is 16 characters
(although that's only with names added with the 'useradd' utilities;
LDAP can serve much longer names, and I suspect vigr would allow you to
put in longer names too).  So if nothing else, use 'myverylongexam00'.

If you're really going to be hosting many sites, ISPMan
(http://www.ispman.org) is a pretty nice tool.  If you want to hire help
setting it up, call me :)

Wil
-- 
Wil Cooley                                 wcooley at nakedape.cc
Naked Ape Consulting                        http://nakedape.cc
* * * * Linux, UNIX, Networking and Security Solutions * * * *
QCSNet                                     http://www.qcsn.com
* * * * T1, Frame Relay, DSL, Dial-up, and Web Hosting * * * *

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
URL: <http://lists.pdxlinux.org/pipermail/plug/attachments/20030222/8e5a73dc/attachment.asc>


More information about the PLUG mailing list