[BLUG] Some webhosts

Joe Auty blug_at_mailman.cs.indiana.edu
Tue, 30 Jan 2007 11:26:28 -0500 

Neat trick! I never thought of simply assuming that a user's group  
membership would override the "everybody" permission set... I'll  
experiment with this, thanks! (not a huge concern on my server  
though, since SSH access is limited)

It's too bad that this isn't working:

http://httpd.apache.org/docs/2.0/mod/perchild.html


Do you know of anything else that accomplishes this sort of thing?  
There have been times in the past where I've relied upon my superuser  
privileges to make a directory writable by Apache. On one hand,  
perhaps this is a good security model separating privileges like  
this, but on the other hand it can be inconvenient. I haven't decided  
yet whether there is a way to have my cake and eat it too =)





On Jan 30, 2007, at 11:18 AM, Mark Krenz wrote:

>
> On Suso, all users are in the users group.  So I just make the home
> directories owned by the user and group owned by the users group.   
> Like
> this:
>
> # ls -ld /home/mark
> drwx---r-x  22 mark users 12288 Jan 30 15:23 /home/mark
>
>   This prevents other users from entering your home directory, but it
> allows processes like Apache in.  And it doesn't rely on obscurity.
> The only problem with this is when a user does something like
> chmod 755 /home/username  and opens their directory up. But then they
> are only opening themselves up and that's kinda their fault. Sometime
> soon I'll write a program that checks for this change automatically  
> and
> corrects it.  It would be nice if there was a way to do it on a
> filesystem level, but I haven't found anyway.
>
>
>
> On Tue, Jan 30, 2007 at 04:02:32PM GMT, Joe Auty  
> [joe_at_netmusician.org] said the following:
>> Just for my own education, how do you guys go about not making home
>> directories containing websites world readable when apache runs as a
>> different user? I know there is an experimental Apache MPM to do
>> this, and probably another thing or two you can do to serve websites
>> running as that user. Is this a smart thing to do?
>>
>>
>>
>>
>> On Jan 30, 2007, at 9:48 AM, Mark Krenz wrote:
>>
>>>
>>>  For comparison, Suso has comporable services and maybe a third of
>>> the
>>> number of users and the load averages about 1.  Less now that I've
>>> distributed the load a bit better.  It never goes above 5 unless
>>> something is wrong.  From what I've seen on Dreamhost, A load
>>> between 8
>>> and 200 is the norm.  Since normal users can't see the whole process
>>> table, its hard to tell what is going on.  The system itself was  
>>> a bit
>>> sluggish and transfers took forever.  The way they do things is just
>>> odd.  I would never NFS mount that many partitions.  Its better to
>>> create more servers to put your users on instead of trying to put  
>>> them
>>> all on one server.
>>>
>>>  Ok, you got me into it now.  Their security was horrible, the home
>>> directories wheren't world readable, but they were world
>>> executable, so
>>> if you knew any of the subdirectories, you could get into someone's
>>> web
>>> directory where everything was world readable and perhaps world
>>> writeable.  Finding out someone's web directories where easy too
>>> because
>>> the xferlog was world readable, which meant you could see what
>>> everyone
>>> was transfering to their accounts.  And they say that their servers
>>> are
>>> secure because they are protected by ninjas.  What a joke.  A sure
>>> sign
>>> that the people there haven't got a clue.
>>>
>>>  I've gotten tired of seeing thing kind of thing on webhosts so I've
>>> started a page on my new personal website/wiki for it:
>>>
>>>  http://suso.suso.org/xulu/Web_hosting_providers_with_poor_security
>>>
>>>  A note to people using Internet Explorer, I haven't fixed the
>>> mediawiki stylesheet yet to work properly.  I'm trying to make it  
>>> look
>>> like my current site (http://suso.suso.org/)
>>>
>>>
>>>
>>> On Tue, Jan 30, 2007 at 01:31:33PM GMT, Simon Ruiz
>>> [sruiz_at_mccsc.edu] said the following:
>>>> For reference, what numbers SHOULD they be having?
>>>>
>>>> ________________________________
>>>>
>>>> From: blug-admin_at_cs.indiana.edu on behalf of Matt Standish
>>>> Sent: Tue 1/30/2007 8:29 AM
>>>> To: blug_at_cs.indiana.edu
>>>> Subject: Re: [BLUG] Some webhosts
>>>>
>>>>
>>>>
>>>> I have seen load averages this high on MTA's which use NFS to write
>>>> messages to a central store.
>>>>
>>>> Too bad SAN's are so expensive huh?
>>>>
>>>> remember: Proper Prior Planning Prevents Piss Poor Performance :)
>>>>
>>>>
>>>> On 1/29/07, Mark Krenz <mark_at_slugbug.org> wrote:
>>>>>
>>>>> I'm sorry, I just have to share this.  I guess this is the kind
>>>>> of thing
>>>>> that you face on some webhosts (in this case dreamhost.com):
>>>>>
>>>>> $ w
>>>>> 19:17:09 up 52 days,  3:23,  4 users,  load average: 328.28,
>>>>> 274.12, 166.21
>>>>>
>>>>> $ df | wc -l
>>>>> 244
>>>>>
>>>>>  Yes, they had 240 NFS mounted partitions for the purpose of
>>>>> symlinking
>>>>> home directories off to other servers so that they could have
>>>>> more space
>>>>> for their users.  Let's not get started on their security.  I
>>>>> don't want
>>>>> to waste your time.
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Mark Krenz
>>>>> Bloomington Linux Users Group
>>>>> http://www.bloomingtonlinux.org/
>>>>> _______________________________________________
>>>>> BLUG mailing list
>>>>> BLUG_at_linuxfan.com
>>>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>>>>
>>>>
>>>>
>>>> --
>>>> Matt Standish
>>>> MSN Messenger: mps__at_hotmail.com
>>>> Yahoo Messenger: mattstandish_at_yahoo.com
>>>> Google Talk: mstandish
>>>> _______________________________________________
>>>> BLUG mailing list
>>>> BLUG_at_linuxfan.com
>>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> BLUG mailing list
>>>> BLUG_at_linuxfan.com
>>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>>>
>>>
>>> -- 
>>> Mark Krenz
>>> Bloomington Linux Users Group
>>> http://www.bloomingtonlinux.org/
>>> _______________________________________________
>>> BLUG mailing list
>>> BLUG_at_linuxfan.com
>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>
>> _______________________________________________
>> BLUG mailing list
>> BLUG_at_linuxfan.com
>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>
>
> -- 
> Mark Krenz
> Bloomington Linux Users Group
> http://www.bloomingtonlinux.org/
> _______________________________________________
> BLUG mailing list
> BLUG_at_linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug