Apache server allowing ssh

codefather · 06-26-2003, 02:11 AM

I need help in apache security setting of a high school.
We have setup the server so that http ://myschool.edu/~student1/ will be translated to /home/student1/public_html/ .This much works fine. However, we also allow ssh access to students. Problem is, student2, who is another (ssh)user on the system, can also view the html code of student1. If student1 makes his public_html folder inaccessible to other users(chmod o-r), his webpage will throw a Permission Denied error.
Is there any solution to this problem?

Thanks.

Crashed_Again · 06-26-2003, 02:20 AM

Good question but I have a question for you. If student1 is offering web pages viewable to the public then what is stopping the public from right-clicking on student1's page and viewing the source code? Putting a page on the web is, by default, allowing access to the code.

codefather · 06-26-2003, 03:03 AM

We are planning to let them run php/perl scripts, not just pure html. And this was a question one of the students asked me - it never struck any of us

Crashed_Again · 06-26-2003, 03:18 AM

Ah ha. Well then. That is a very good point. hmmm...I'm going to have to gracefully bow away from this one and let some guru take over.

sepski · 06-26-2003, 04:33 AM

how about using apache as group ?
and set it like this

ll -d /home/username
drwx--x--- 5 username apache 4096 Jan 30 01:18 username

ll -d /home/username/public_html
drwxr-x--- 15 username apache 4096 Jun 26 10:34 /home/username/public_html

the apache group must contain the user running apache, this is usualy the apache user.

codefather · 06-26-2003, 05:08 AM

I am not sure whether I understood what you said

What I get is to make a group apache which has read/execute privileges on public_html directories. But that should mean student1 also be in apache group. Sorry if I didnt make myself clear earlier, but student2 also has his own webpage and all. So he too needs to be in apache group if his pages are to be displayed. And since both are now in same group, they both have read access to each others.....well.....am i confusing or is it just that i am confused???

sepski · 06-26-2003, 05:28 AM

if you use redhat the apache user and group is setup already

the group file is like this
[root]# grep apache /etc/group
apache:x:48:

the passwd file is like this
[root]# grep apache /etc/passwd
apache:x:48:48:Apache:/var/www:/bin/false

the point is that the webserver is running as (usualy) the apache user.
so for a page to be displayed on the web, the apache user need to be able to enter the public_html dir and read the contents.

therfor only the apache user need to be in the apache group, and no other user will be able to enter or read other users public_html

as long as the apache user/group have read/execute on all public_html folders, if will be on the web.
#drwxr-x--- 15 username apache 4096 Jun 26 10:34 /home/username/public_html

--

apache also need to enter the /home/username dir in order to enter the public_html
#drwx--x--- 5 username apache 4096 Jan 30 01:18 username

the commands to set up all this on a rh server is
chgrp apache /home/username
chmod 710 /home/username
chgrp apache /home/username/public_html
chmod 750 /home/username/public_html

hope i was clearer now ?

codefather · 06-26-2003, 06:15 AM

That was great. There will be some confusion in implementing groups (as of now, we have students of each class in one group) but I got the essence of what you meant. Let me just try them. Thanks pal.

Robert0380 · 06-26-2003, 01:50 PM

.post deleted by me, not helpful at all.