Web hosting, restrict user to access only his folder

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Web hosting, restrict user to access only his folder

Wesley MOUEDINE ASSABY
Hi,

I installed OpenBSD 4.7 for web hosting (test).
So i have 3 websites for 3 users (1 site per user) :
www.first.xx (user : firstxx)
www.2nd.xx (user : 2ndxx)
www.third.xx (user : thirdxx)

All web pages are stored in /var/www/domains/
So in /var/www/domains we have 3 folders :
www.first.xx folder (owner : firstxx ; chmod 755)
www.2nd.xx folder (owner : 2ndxx ; chmod 755)
www.third.xx folder (owner : thirdxx ; chmod 755)

i used ftpd (-4Dln) for users to upload their website(with /etc/ftpchroot
configured).
My problem, user can see content of others.
For example, 2ndxx can update his folder but he can see also the content of
"firstxx" folder.
How can i restrict that ?
thank's.

Reply | Threaded
Open this post in threaded view
|

Re: Web hosting, restrict user to access only his folder

Joachim Schipper-2
On Sat, Aug 14, 2010 at 12:04:56AM +0400, [hidden email] wrote:

> Hi,
>
> I installed OpenBSD 4.7 for web hosting (test).
> So i have 3 websites for 3 users (1 site per user) :
> www.first.xx (user : firstxx)
> www.2nd.xx (user : 2ndxx)
> www.third.xx (user : thirdxx)
>
> All web pages are stored in /var/www/domains/
> So in /var/www/domains we have 3 folders :
> www.first.xx folder (owner : firstxx ; chmod 755)
> www.2nd.xx folder (owner : 2ndxx ; chmod 755)
> www.third.xx folder (owner : thirdxx ; chmod 755)
>
> i used ftpd (-4Dln) for users to upload their website(with /etc/ftpchroot
> configured).
> My problem, user can see content of others.
> For example, 2ndxx can update his folder but he can see also the content of
> "firstxx" folder.
> How can i restrict that ?

Look into suexec, something other than Apache, or one of PHP's built-in
mechanisms. Note that suexec is slow, Apache is standard for a reason,
and PHP's security record is pretty bad.

                Joachim

Reply | Threaded
Open this post in threaded view
|

Re: Web hosting, restrict user to access only his folder

Daniel Ouellet
In reply to this post by Wesley MOUEDINE ASSABY
> i used ftpd (-4Dln) for users to upload their website(with /etc/ftpchroot
> configured).
> My problem, user can see content of others.
> For example, 2ndxx can update his folder but he can see also the content of
> "firstxx" folder.
> How can i restrict that ?

Well, you could setup no login in the master.passwd for that user and
assign the home directory to their web site folder. They will change
root to that and can't get out of it via ftp.

Reply | Threaded
Open this post in threaded view
|

Re: Web hosting, restrict user to access only his folder

Bret S. Lambert-2
In reply to this post by Wesley MOUEDINE ASSABY
On Sat, Aug 14, 2010 at 12:04:56AM +0400, [hidden email] wrote:

> Hi,
>
> I installed OpenBSD 4.7 for web hosting (test).
> So i have 3 websites for 3 users (1 site per user) :
> www.first.xx (user : firstxx)
> www.2nd.xx (user : 2ndxx)
> www.third.xx (user : thirdxx)
>
> All web pages are stored in /var/www/domains/
> So in /var/www/domains we have 3 folders :
> www.first.xx folder (owner : firstxx ; chmod 755)
> www.2nd.xx folder (owner : 2ndxx ; chmod 755)
> www.third.xx folder (owner : thirdxx ; chmod 755)
>
> i used ftpd (-4Dln) for users to upload their website(with /etc/ftpchroot
> configured).
> My problem, user can see content of others.
> For example, 2ndxx can update his folder but he can see also the content of
> "firstxx" folder.
> How can i restrict that ?

Somewhere between the monitor_init and yyparse calls in ftpd.c

> thank's.

Reply | Threaded
Open this post in threaded view
|

Re: Web hosting, restrict user to access only his folder

Benny Lofgren
In reply to this post by Daniel Ouellet
Daniel Ouellet wrote:

>> i used ftpd (-4Dln) for users to upload their website(with /etc/ftpchroot
>> configured).
>> My problem, user can see content of others.
>> For example, 2ndxx can update his folder but he can see also the
>> content of
>> "firstxx" folder.
>> How can i restrict that ?
>
> Well, you could setup no login in the master.passwd for that user and
> assign the home directory to their web site folder. They will change
> root to that and can't get out of it via ftp.
>

Or use for example PureFTPd which have similar functionality built-in
and can be used with *SQL or LDAP authentication so there would be no
need to use actual unix accounts.

That approach works only, however, if the web server isn't set up to run
  CGI scripts or some scripting language like PHP, in which case it is a
piece of cake to write a script to look around in apaches entire
chroot():ed environment.

(I've long wished for a privsep apache with separate chroot():s for
every virtual domain... one of these days I'm gonna have to look into
it, but I suppose it's not trivial to implement or someone would have
done it by now. :-) )


/B

--
internetlabbet.se     / work:   +46 8 551 124 80      / "Words must
Benny LC6fgren        /  mobile: +46 70 718 11 90     /   be weighed,
                     /   fax:    +46 8 551 124 89    /    not counted."
                    /    email:  benny -at- internetlabbet.se

Reply | Threaded
Open this post in threaded view
|

Re: Web hosting, restrict user to access only his folder

Stuart Henderson
In reply to this post by Wesley MOUEDINE ASSABY
If you have already setup each user in /etc/ftpchroot, then it sounds
like you haven't set the home directories correctly in the user accounts.

On 2010-08-13, <[hidden email]> <[hidden email]> wrote:

> Hi,
>
> I installed OpenBSD 4.7 for web hosting (test).
> So i have 3 websites for 3 users (1 site per user) :
> www.first.xx (user : firstxx)
> www.2nd.xx (user : 2ndxx)
> www.third.xx (user : thirdxx)
>
> All web pages are stored in /var/www/domains/
> So in /var/www/domains we have 3 folders :
> www.first.xx folder (owner : firstxx ; chmod 755)
> www.2nd.xx folder (owner : 2ndxx ; chmod 755)
> www.third.xx folder (owner : thirdxx ; chmod 755)
>
> i used ftpd (-4Dln) for users to upload their website(with /etc/ftpchroot
> configured).
> My problem, user can see content of others.
> For example, 2ndxx can update his folder but he can see also the content of
> "firstxx" folder.
> How can i restrict that ?
> thank's.

Reply | Threaded
Open this post in threaded view
|

Re: Web hosting, restrict user to access only his folder

Lars Nooden-2
In reply to this post by Wesley MOUEDINE ASSABY
On Sat, 14 Aug 2010, [hidden email] wrote:
> i used ftpd (-4Dln) for users to upload ...

You may wish to reconsider that and use sshd's built in chroot with sftp.
Easier to set up and use.  A lot of people 'ask' for FTP by name meaning
a generic way to up load.  Even lame clients like Filezilla work with
SFTP.

/Lars

Reply | Threaded
Open this post in threaded view
|

Re: Web hosting, restrict user to access only his folder

Wesley MOUEDINE ASSABY
In reply to this post by Stuart Henderson
Thank a lot for your reply.

Now, it works, what i done :
All users (firstorg,2ndcom,thirdnet are members of users)
cd /var/www/domains
chown -R firstorg www.first.org
chown -R 2ndcom www.2nd.com
chown -R third.net www.third.net
chgrp -R users *
chmod -R 745 *

Now, user "2ndcom" can only view, modify only his folder "www.2nd.com"

** And for MTA choice, i will try to install postfix ;-)

Reply | Threaded
Open this post in threaded view
|

Re: Web hosting, restrict user to access only his folder

Chris Cappuccio
In reply to this post by Benny Lofgren
Benny L??fgren [[hidden email]] wrote:
>
> (I've long wished for a privsep apache with separate chroot():s for
> every virtual domain... one of these days I'm gonna have to look
> into it, but I suppose it's not trivial to implement or someone
> would have done it by now. :-) )
>
>

I think people do this today by just running multiple daemons, one under each uid, binding each one to a different IP (or to a different port and using a reverse proxy on port 80)

Of course it would be convenient if the system could multiplex it for you with one master daemon

Reply | Threaded
Open this post in threaded view
|

Re: Web hosting, restrict user to access only his folder

Benny Lofgren
Chris Cappuccio wrote:
> Benny L??fgren [[hidden email]] wrote:
>> (I've long wished for a privsep apache with separate chroot():s for
>> every virtual domain... one of these days I'm gonna have to look
>> into it, but I suppose it's not trivial to implement or someone
>> would have done it by now. :-) )
> I think people do this today by just running multiple daemons, one
 > under each uid, binding each one to a different IP (or to a different
 > port and using a reverse proxy on port 80)
>
> Of course it would be convenient if the system could multiplex it for
 > you with one master daemon

Yes, that's how I currently do things too, but it's an inconvenient
solution to the problem, mainly because Apache doesn't lend itself well
to be run in multiple instances on the same server (and the hassle of
needing a reverse proxy introduces another level of complexity).


/B

--
internetlabbet.se     / work:   +46 8 551 124 80      / "Words must
Benny Lvfgren        /  mobile: +46 70 718 11 90     /   be weighed,
                     /   fax:    +46 8 551 124 89    /    not counted."
                    /    email:  benny -at- internetlabbet.se

Reply | Threaded
Open this post in threaded view
|

Re: Web hosting, restrict user to access only his folder

Joel Wirāmu Pauling
lightty does however. So you may want to look into it over apache.

On 23/08/2010, Benny LC6fgren <[hidden email]> wrote:

> Chris Cappuccio wrote:
>> Benny L??fgren [[hidden email]] wrote:
>>> (I've long wished for a privsep apache with separate chroot():s for
>>> every virtual domain... one of these days I'm gonna have to look
>>> into it, but I suppose it's not trivial to implement or someone
>>> would have done it by now. :-) )
>> I think people do this today by just running multiple daemons, one
>  > under each uid, binding each one to a different IP (or to a different
>  > port and using a reverse proxy on port 80)
>>
>> Of course it would be convenient if the system could multiplex it for
>  > you with one master daemon
>
> Yes, that's how I currently do things too, but it's an inconvenient
> solution to the problem, mainly because Apache doesn't lend itself well
> to be run in multiple instances on the same server (and the hassle of
> needing a reverse proxy introduces another level of complexity).
>
>
> /B
>
> --
> internetlabbet.se     / work:   +46 8 551 124 80      / "Words must
> Benny Lvfgren        /  mobile: +46 70 718 11 90     /   be weighed,
>                      /   fax:    +46 8 551 124 89    /    not counted."
>                     /    email:  benny -at- internetlabbet.se