security: boundaries for untrusted users

Ann Cantelow cantelow@atlas.csd.net
Wed, 11 Apr 2001 14:07:47 -0600 (MDT)


Greetings.  Apologies if this has been discussed already, I couldn't find
it in FAQs or list archives.

In the SECURITY document that comes with Imp, it says that if you have
untrusted users allowed to log in to your system you can get max security
this way:

  " For completely fascist permissions, you can make the entire
    PHPLIB/Horde/IMP trees inaccessible except by the web server:

        # chgrp -R nobody /home/httpd/horde-phplib
        # chgrp -R nobody /home/httpd/html/horde
        # chmod -R o-rwx /home/httpd/horde-phplib
        # chmod -R o-rwx /home/httpd/html/horde "

Of course, this goes out the window if the untrusted users also have
access to write cgi programs on the system, since cgi programs normally
also run as the web user.  (Seems to me the SEC. doc should mention that.)

Can I tell my boss about Imp on this machine, "can't get there from here"?  
Has anyone, for instance, successfully brought up an installation using
apache, suexec, and php as a cgi program outside of the document tree?  
Or should I insist we run this on a machine with no untrusted cgi users?

Thanks heaps for any advice or ideas.

Ann Cantelow
cantelow@athena.csdco.com