On Wed, May 29, 2002 at 03:46:54PM -0400, Jeff Dafoe wrote:
> Each virtualhost is individually configured such that suexec executes CGIs
>as the user/group that the virtual host owner logs in as.
You can also add chroot()ing the user into their home directory and the
configuration of resource limits as well. The chroot()ing bit does mean that
you have to place various files which will be required by the user's CGI
scripts into the user's home directory - you can use hard links (has problems
with administration and needing to have the source files on the same partition
as the home directories) or loopback mounts (setting up the mount points on
the fly isn't a great idea on a heavily loaded system tho) to do this.
You also have to be careful with what you place within the chroot() environment
to make sure that the user can't gain root privs as its relatively simple to
break out of a chroot() jail on most unix varients as root. The exception to
this is FreeBSD which has chroot() return an error if the calling process has
already called chroot() and it has a file descriptor open on a directory; this
effectively stops the chroot() escape method.
--
Simon the stressed http://www.bpfh.net/ simesat_private
"Our company name changes so often we have to use plain mugs and PostIt notes"
This archive was generated by hypermail 2b30 : Thu May 30 2002 - 13:30:16 PDT