Shared Hosting Securities

[SoreGUms]

http://www.litespeedtech.com/suppor...speed_wiki:security:shared_hosting_securities

That article is a bit airy fairy. Its not concrete enough in what is being put across.

What are the exact configurations required?

So in apache using MPM-ITK I would do the following.

System Accounts (user/group)

• user1/user1
• apache01/apache01
  • user1 member of apache01

VHost-config

• specify user/group to run as "apache01/apache01"

File System permissons

VHOST/:
drwxr-x--- 4 user1 apache01 4096 May 16 13:41 .
drwxr-x--- 7 user1 apache01 4096 Aug  2 14:17 ..
drwxr-x--- 8 user1 apache01 4096 Jun 28 13:49 html
drwxrwx--- 2 user1 apache01 4096 May 16 13:41 logs

VHOST/html:
drwxr-x--- 8 user1  apache01   4096 Jun 28 13:49 .
drwxr-x--- 4 user1  apache01   4096 May 16 13:41 ..
-rw-r----- 1 user1  apache01    284 May 16 13:41 index.html

As can be clearly seen here only user1 has full access and the apache/vhost user only has read access except for the logs dir so it can write logs etc. Everyone else has zero access.

So what is the equivalent setup for LSWS please?

Thanks

 

[mistwang]

You can pretty much do the same thing with LSWS. Whatever you can do with Apache, you can do it with LSWS.

 

[SoreGUms]

Whatever you can do with Apache, you can do it with LSWS.

Except there is no where to specify an exact user/group to run things as....

 

[mistwang]

LSWS can run PHP, CGI in suEXEC mode, usually under the uid/gid of the owner of document root. And you can force the gid to something else.

 

[SoreGUms]

Ok I've looked some more and it looks like this to me.

The user of docroot is used & if gid is forced (server wide) it uses that as well.

so therefore the user needs to not be a member of the forced group. If it were it would have read access to all files under that group...

How then do you make files un-writable by the webserver? if the user looses write access, they can't write but then neither will the webserver....

Somethings ammiss here...

This is what needs to be achieved in a shared hosting environment.

1. Users are only able to read/write their own files
2. VHost should be able to read files in current VHost only
3. Able to control which files VHost may write

SO far I don't see this happening. a Server wide configured group allows any vhost read access to any vhost. If docroot user is used then the rights are whatever the user has, if this includes write then the vhost can write, if you take away write the user will be unable to modify the files...

Please tell me where I'm going wrong with my logic...

 

[mistwang]

Web Server run as nobody:nobody
User's document root is owned by user:nobody with permission mask 0750
Force GID to another user id: web-share.
For anything need to be shared server wide, should owned by nobody:web-share, with permission mask of 0750 or 0770, depends on whether you want a user to write to that directory.