North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ARIN Policy on IP-based Web Hosting

  • From: Patrick Evans
  • Date: Thu Aug 31 14:24:14 2000

On Thu, 31 Aug 2000, Alec H. Peterson wrote:
> "John A. Tamplin" wrote:
> > 
> > Another issue nobody has mentioned is security between virtual servers.
> > Under name-based hosting, they all run as the same user-id and thus to get
> > the same security you have with separate IP-based servers you have to put
> > all the access conrol checks in all the tools that can be used.  This can be
> > hard if not impossible to do when you allow full shell access to the files
> > used by the server.
> Not if you chroot() the user into their file space.  That may not be ideal,
> but there are ways to deal with it.
Simple solution to this one, if using Apache...

httpd runs as 500:100
httpd also in group 200
users in group 100
users have uid $uid

suexec used to make CGIs run as $uid:100
home directories have ownership $uid:200 and mode 0750

Users can only get into their own home directories, the web server
process can serve pages from all of them, and CGIs run under the
appropriate permissions.

Works like a charm. I've no idea whether any commercial web server
software can do the same thing, but if a free offering can it'd be a
bit weird if they couldn't...

Patrick Evans - Sysadmin, bran addict and couch potato
pre at pre dot org