Author: Fedor (Ted) Gnuchev
Date: 03-09-01 12:40
Thanks for very good article!
You may consider changing to "unique" scheme - with every user
getting personal UID==GID.
Also requires User and Group directives in virtual host sections of httpd.conf and correct suexec installation.
(Apply with a grain of salt :-)
- you'll be able to track who's running what instead of anonymous apache user. Trust me, it is helpful :-) if you allow them to run perl scripts and give them freedom to use half of the CPAN modules. Some users will mistake you for jellyhead instead of being grateful for being given "no crippleware" tools.
- users will be unable to break out of 750 permission mask on home dir.
- matches PHP security features - you'll need them to stop abuse: php is as dangerous as any good tool for "cripled" users.
- you'll have to take care of adding User and Group to every
virtual host section you have.
- you'll have to make sure suexec is properly installed.
- users will stop telling that you suck after couple of unsuccessuful attempts to break your security scheme :-)