mod_ruid, chroot and jail

Would it be a problem to use mod_ruid with the interworx setup?
Are there also plans to chroot/jail every user?
Is it possible to set the umask on an interworx system by default at 600 for every new file and 700 for every new map?

Implementation of rsbac (http://www.rsbac.org/) would be great as well!

Are there also plans to chroot/jail every user?

There is already a jail ssh for users. it means home dir is in /chroot and /chroot also contains very ncessary libs and files as /lib, /bin /etc etc…

If I remeber they use the jailkit package http://olivier.sessink.nl/jailkit/

So to include a command in the chroot env you have to use jk_cp

Normaly in a chroot env like this users can’t go away of the chroot env but as home is in the chroot, it means users might still look for others users’ file with php, but can’t run command not allow in the chroot (maybe false with this point)

Pascal

OK, thanks for the feedback.

Reason I’m asking is because one of our server was defaced. Every file that had main, home, default or index in a part of the filename on the entire system was defaced. So also core system files (outside the /home dir). It was a combination of a bug in a joomla module and the reason why the iworx team made a new kernel: http://www.interworx.com/forums/showthread.php?t=1530

Luckly we make rsync backups every day, so we could get everything working again, also with the help of the interworx team.

I have been playing with mod_ruid, it looks great! I think it should be really easy to implement this as a standard interworx feature!

Could you tell me what do you like in mod_ruid ?
Does it run also php script under the uid/gid of the owner of the script ? is thta right ?
Advantage for you ? inconvenient ?

Thanks for your feedback

Pascal

if you set the umask standard to 600 for files and 700 for directories and when you use mod_ruid than this prevents that users can overwrite files from each other.
So that hackers have “less fun” when they hack only one website.

Other advantage is that when a user installs a script, then chmod some files to 777 since apache has to get write privelages, the owner changes to apache and then the user can’t delete the files and maps and we have to delete these files for them.

That are the two main advantages.

Sorry for my late reply, was out of the office.

-R?mon

[QUOTE=WebXtrA;9695]if you set the umask standard to 600 for files and 700 for directories and when you use mod_ruid than this prevents that users can overwrite files from each other.
So that hackers have “less fun” when they hack only one website.

Other advantage is that when a user installs a script, then chmod some files to 777 since apache has to get write privelages, the owner changes to apache and then the user can’t delete the files and maps and we have to delete these files for them.

That are the two main advantages.

Sorry for my late reply, was out of the office.

-R?mon[/QUOTE]

But do you run php as module or as cgi ?

Does it mean that the php script are run under the uid/gid of the owner of php script ?

I mean, normally you have to give read authority to all for a php script to able apache user to read and execute this script. With mod_ruid you mean that you can have a php script (and php as module) set to 600 ?

Pascal