Hello, guys !
The company I work for has a few web hosting servers and I'd like to know how can I secure the servers a little bit ?
The situation is like this:
Apache runs as nobody so all users can run scripts as nobody. This is a big security problem beacause if I have an account on the server, I can access the files of another user on the server (nobody has read and execute rights on users directory). If I cut the rights for the nobody user, then nobody cannot read the web sites hosted in the user's directory.
Do you have any ideeas how can I handle this situation ? I mean, how can I restrict a user from seeing other user's files through PHP or some CGI scripts but without restrictioning the nobody user.
The operating sistem is CentOS Linux, and the server is Apache.
Any ideeas are welcomed.
Did you try to run some scripts for "nobody" to set the uid or setting rights by using grep and chown or chmod?
For example, assuming that you are the admin, so you should have the rights to "read, write, execute" to a user folders. You should also try to have a scripts to set user to have read only when they go to other user's folders.
This is just a starter. Your description is pretty brief, unless you want something more specific, then post it here and we can discuss about it.
Hi !
I guess that you didn't understood what I mean (and my english sucks, I know). I'll try to explain the situation again with an example, in this way maybe you (and whoever reads this post) can understand batter what I need.
So, there is the server that is used for web hosting. The web server (apache) is running as nobody. There are a few accounts on the server and each account have a public_html directory where his web page is kept. The home directory of each user must have at least execute rights for the group for apache (nobody) to be able to read the content of public_html directory (or pass through it).
In the public_html directory the user can put his PHP files which are interpreted by apache (nobody). As long as every file in public_html must be readable by nobody and every directory in public_html must have the execute rights some bad user can make a script that will read other users files beacause his script will run as nobody (like all the PHP/CGI scripts).
So, for example, if I make an account on the server I can make a script that will read the /home/some_user/public_html/phpmyadmin/config.php file beacause my script will run as nobody and nobody (as a user) can read all files in public_html directory of each user.
What I want to know is how can I block users to see each others files through some scripts even if the scripts are running as nobody (beacause are interpreted by apache) and 'nobody' has read and/or execute rights on the other user's files ?
Am I clear this time ? If not I'm sorry... I haven't used my english for a while and now I tend to have gramar problems 
Thanks for your time.
At the first sight it seems like it is what I need... Thanks !