[pgh-pm] Restricting File I/O in Apache

[James O'Kane]

On Wed, 16 Feb 2005, Tom Moertel wrote:
> Does this mean that if user X runs the script, it cannot read user Y's files, 
> even if the files are otherwise readable by X (say mode 664)?  If so, that's 
> a tall order.  If, on the other hand, you just want the script to be run as 
> X, letting normal Linux permissions handle the rest, that should not be too 
> hard (e.g., via suid wrapper or sbox).

This is correct, partly. AFS permissions work differently. suid doesn't 
work the same, linux root cannot gain afs tokens of another user without 
that user's password. Currently only user X and apache A can 
access X's files. Y cannot.
What we're trying to limit is user Y using a cgi to open a file in X's 
directory. This server is used for a web programming class, and we don't 
want students being able to read each other's work.


>> http://stein.cshl.org/~lstein/sbox/ looks like it would almost work, but it 
>> would require making a small filesystem in the user's home directory for 
>> chroot to work, ...
>
> Are your requirements such that you can use sbox without its chroot features?

I'll need to setup a test server and try things, but since suid doesn't 
work the same way with AFS, I'm not sure it will work.

> Is Apache running as a user that has access to every script user's files?  In 
> other words, if Apache is running as user A, and user X wants to run the 
> script to access a file that he owns with permissions 600, how would you do 
> it?  Unless A is root (naughty), you cannot, right?

Again, unix file permissions don't work the same way.

-james