Типо настроено, а работает не так как надо...
Код: Выделить всё
root@host: # uname -a
FreeBSD host 9.1-RELEASE FreeBSD 9.1-RELEASE #3: Sat Aug 3 00:38:54 EEST 2013 root@host:/usr/obj/usr/src/sys/HOST amd64
Код: Выделить всё
root@host:/usr/local/etc/apache24 # cat /etc/make.conf
PERL_VERSION=5.14.4
#BATCH=YES
DEFAULT_MYSQL_VER=56
PORTSDIR?= /usr/ports
.if ${.CURDIR} == ${PORTSDIR}/databases/mysql56-server
WITH_CHARSET=cp1251
WITH_XCHARSET=all
WITH_COLLATION=cp1251_bin
WITH_OPENSSL=yes
#WITH_LINUXTHREADS=yes
WITH_PROC_SCOPE_PTH=yes
BUILD_OPTIMIZED=yes
#BUILD_STATIC=yes
WITHOUT_INNODB=yes
#WITH_ARCHIVE=yes
#WITH_FEDERATED=yes
#WITH_NDB=yes
.endif
.if ${.CURDIR} == ${PORTSDIR}/databases/mysql56-client
WITH_CHARSET=cp1251
WITH_COLLATION=cp1251_bin
BUILD_OPTIMIZED=yes
.endif
#LOADER_TFTP_SUPPORT=YES
#.if ${.CURDIR} == ${PORTSDIR}/mail/exim
#WITH_MYSQL= yes
#WITH_FILE_PATH?= syslog
#WITH_CONTENT_SCAN= yes
#WITH_DEFAULT_CHARSET?= koi8-r
#WITHOUT_IPV6= yes
#.endif
APACHE_VERSION=24
DEFAULT_APACHE_VERSION=24
APACHE_PORT=www/apache24
.if ${.CURDIR} == ${PORTSDIR}/www/apache24
WITH_SUEXEC=yes
SUEXEC_DOCROOT="/home"
SUEXEC_USERDIR="www"
.endif
Код: Выделить всё
# httpd -V
Server version: Apache/2.4.6 (FreeBSD)
Server built: Aug 3 2013 15:53:36
Server's Module Magic Number: 20120211:23
Server loaded: APR 1.4.8, APR-UTIL 1.5.2
Compiled using: APR 1.4.8, APR-UTIL 1.5.2
Architecture: 64-bit
Server MPM: prefork
threaded: no
forked: yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses disabled)
-D APR_USE_FLOCK_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/usr/local"
-D SUEXEC_BIN="/usr/local/sbin/suexec"
-D DEFAULT_PIDLOG="/var/run/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="etc/apache24/mime.types"
-D SERVER_CONFIG_FILE="etc/apache24/httpd.conf"Код: Выделить всё
# php -v
PHP 5.3.27 with Suhosin-Patch (cli) (built: Aug 2 2013 19:44:51)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2013 Zend TechnologiesКод: Выделить всё
# suexec -V
-D AP_DOC_ROOT="/home"
-D AP_GID_MIN=1000
-D AP_HTTPD_USER="www"
-D AP_LOG_EXEC="/var/log/httpd-suexec.log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=1000
-D AP_USERDIR_SUFFIX="www"
Код: Выделить всё
#cat /usr/local/etc/rc.d/apache24/httpd.conf
ServerRoot "/usr/local"
Listen 80
LoadModule authn_file_module libexec/apache24/mod_authn_file.so
#LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so
#LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so
#LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so
#LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so
LoadModule authn_core_module libexec/apache24/mod_authn_core.so
LoadModule authz_host_module libexec/apache24/mod_authz_host.so
LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so
LoadModule authz_user_module libexec/apache24/mod_authz_user.so
#LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so
#LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so
#LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so
LoadModule authz_core_module libexec/apache24/mod_authz_core.so
LoadModule access_compat_module libexec/apache24/mod_access_compat.so
LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
#LoadModule auth_form_module libexec/apache24/mod_auth_form.so
#LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so
#LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so
#LoadModule file_cache_module libexec/apache24/mod_file_cache.so
#LoadModule cache_module libexec/apache24/mod_cache.so
#LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so
#LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so
#LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
#LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so
#LoadModule socache_memcache_module libexec/apache24/mod_socache_memcache.so
#LoadModule macro_module libexec/apache24/mod_macro.so
#LoadModule dbd_module libexec/apache24/mod_dbd.so
#LoadModule dumpio_module libexec/apache24/mod_dumpio.so
#LoadModule buffer_module libexec/apache24/mod_buffer.so
#LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so
LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so
#LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so
#LoadModule request_module libexec/apache24/mod_request.so
#LoadModule include_module libexec/apache24/mod_include.so
LoadModule filter_module libexec/apache24/mod_filter.so
#LoadModule substitute_module libexec/apache24/mod_substitute.so
#LoadModule sed_module libexec/apache24/mod_sed.so
#LoadModule deflate_module libexec/apache24/mod_deflate.so
LoadModule mime_module libexec/apache24/mod_mime.so
LoadModule log_config_module libexec/apache24/mod_log_config.so
#LoadModule log_debug_module libexec/apache24/mod_log_debug.so
#LoadModule logio_module libexec/apache24/mod_logio.so
LoadModule env_module libexec/apache24/mod_env.so
#LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
#LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
#LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule headers_module libexec/apache24/mod_headers.so
#LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule setenvif_module libexec/apache24/mod_setenvif.so
LoadModule version_module libexec/apache24/mod_version.so
#LoadModule remoteip_module libexec/apache24/mod_remoteip.so
#LoadModule proxy_module libexec/apache24/mod_proxy.so
#LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so
#LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so
#LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so
#LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
#LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so
#LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so
#LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so
#LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so
#LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so
LoadModule session_module libexec/apache24/mod_session.so
LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so
LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so
#LoadModule ssl_module libexec/apache24/mod_ssl.so
#LoadModule lbmethod_byrequests_module libexec/apache24/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module libexec/apache24/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_bybusyness_module libexec/apache24/mod_lbmethod_bybusyness.so
LoadModule unixd_module libexec/apache24/mod_unixd.so
#LoadModule dav_module libexec/apache24/mod_dav.so
LoadModule status_module libexec/apache24/mod_status.so
LoadModule autoindex_module libexec/apache24/mod_autoindex.so
#LoadModule asis_module libexec/apache24/mod_asis.so
#LoadModule info_module libexec/apache24/mod_info.so
LoadModule suexec_module libexec/apache24/mod_suexec.so
LoadModule cgi_module libexec/apache24/mod_cgi.so
#LoadModule cgid_module libexec/apache24/mod_cgid.so
#LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so
#LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so
#LoadModule negotiation_module libexec/apache24/mod_negotiation.so
LoadModule dir_module libexec/apache24/mod_dir.so
#LoadModule imagemap_module libexec/apache24/mod_imagemap.so
LoadModule actions_module libexec/apache24/mod_actions.so
#LoadModule speling_module libexec/apache24/mod_speling.so
#LoadModule userdir_module libexec/apache24/mod_userdir.so
LoadModule alias_module libexec/apache24/mod_alias.so
#LoadModule rewrite_module libexec/apache24/mod_rewrite.so
#LoadModule fcgid_module libexec/apache24/mod_fcgid.so
LoadModule php5_module libexec/apache24/libphp5.so
<IfModule mod_fcgid.c>
AddHandler fcgid-script .fcgi
FCGIWrapper /usr/local/bin/php-cgi .php
</IfModule>
<IfModule unixd_module>
User www
Group www
</IfModule>
ServerAdmin admin@admin.net
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "/var/log/httpd-access.log" common
</IfModule>
<IfModule mime_module>
TypesConfig etc/apache24/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
# AddType application/x-httpd-php .php
# AddType application/x-httpd-php-source .phps
#AddHandler cgi-script .cgi
# For type maps (negotiated resources):
#AddHandler type-map var
#AddType text/html .shtml
#AddOutputFilter INCLUDES .shtml
</IfModule>
<Directory />
Options Indexes FollowSymLinks Includes
AllowOverride All
Order allow,deny
# SetHandler fcgid-script
# FCGIWrapper /usr/local/bin/php-cgi .php
# Options ExecCGI
Allow from all
# AllowOverride none
# Require all denied
</Directory>
DocumentRoot "/usr/local/www/apache24/data"
<Directory "/usr/local/www/apache24/data">
Options Indexes FollowSymLinks
AllowOverride None
#
# Controls who can get stuff from this server.
#
# Require all granted
## Options Indexes FollowSymLinks Includes
## AllowOverride None
## Order deny,allow
## SetHandler fcgid-script
## FCGIWrapper /usr/local/bin/php-cgi .php
## Options ExecCGI
## Allow from all
</Directory>
<IfModule dir_module>
DirectoryIndex index.php index.phps index.html index.htm
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "/var/log/httpd-error.log"
LogLevel warn
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/usr/local/www/apache24/cgi-bin/"
</IfModule>
<IfModule cgid_module>
#
# ScriptSock: On threaded servers, designate the path to the UNIX
# socket used to communicate with the CGI daemon of mod_cgid.
#
#Scriptsock cgisock
</IfModule>
#
# "/usr/local/www/apache24/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/usr/local/www/apache24/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
# MaxRanges: Maximum number of Ranges in a request before
# returning the entire resource, or one of the special
# values 'default', 'none' or 'unlimited'.
# Default setting is to accept 200 Ranges.
#MaxRanges unlimited
# Configure mod_proxy_html to understand HTML4/XHTML1
<IfModule proxy_html_module>
Include etc/apache24/extra/proxy-html.conf
</IfModule>
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
Include etc/apache24/Includes/*.conf
Include etc/apache24/vhosts/*.conf
Код: Выделить всё
#ls -la /usr/local/etc/apache24/vhosts/
total 12
drwxr-xr-x 2 root wheel 512 Aug 3 22:20 .
drwxr-xr-x 7 root wheel 512 Aug 3 22:30 ..
-rwxr-x--- 1 root wheel 1372 Aug 3 22:20 domain1.conf
Код: Выделить всё
root@host:/usr/local/etc/apache24/vhosts # cat domain1.conf
# VHOSTS FOR domain1 #
<VirtualHost *:80>
UseCanonicalName Off
SuexecUserGroup domain1 domain1
php_admin_value open_basedir /home/domain1/domain1/www
php_admin_value upload_tmp_dir "/home/domain1/domain1/tmp"
php_admin_value session.save_path "/home/domain1/domain1/tmp"
ServerAdmin admin@admin.net
DocumentRoot /home/domain1/domain1/www
ServerName domain1
ServerAlias www.domain1
DirectoryIndex index.php index.html index.htm
AddHandler application/x-httpd-php .php
ScriptAlias /php-bin/ /home/domain1/domain1/cgi-bin/
Action application/x-httpd-php /php-bin/php.sh
<Directory *>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<Directory "/home/domain1/domain1/php-bin">
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
Код: Выделить всё
root@host:/home/domain1/domain1/cgi-bin # ls -loa
total 12
drwxr-x--- 2 domain1 domain1 - 512 Aug 3 16:27 .
drwxr-x--- 6 domain1 domain1 - 512 Aug 3 17:18 ..
-rwxr-x--- 1 root domain1 schg,sunlnk 49 Aug 3 16:21 php.sh
Код: Выделить всё
root@host:/home/domain1/domain1/cgi-bin # cat php.sh
#!/bin/sh
exec nice -n 20 /usr/local/bin/php-cgi
Код: Выделить всё
#pw groupmod "domain1" -m "www"
#pw groupmod "domain2" -m "www"
#chmod -R 750 /home/domain1
#chown-R domain1:domain1 /home/domain1
#chmod -R 750 /home/domain2
#chown-R domain2:domain2 /home/domain2
1) При такой настройке пользователь domain1 может шарить по файлам domain2 и смотреть содержимое без проблем.
Вопрос: что я сделал не так? т.е. как запретить просматривать чужие папки?
2) Проблема загрузки файлов.
Если поставить на загружаемую директорию права 777 видно, что файл загружается с правами "www:domain1" и в tmp директорию навернаяка так же загружается.
Вопрос как решить данную проблему?
3)
Код: Выделить всё
root@host:/home/domain1/domain1/www # cat test.php
<pre>
<?php
echo "WHOAMI: ".`whoami`;
echo "<hr>";
echo `ls -la /home/domain2/`;
echo "<hr>";
echo `cat /home/domain2/.cshrc`;
echo "<hr>";
echo `ls -la /home/`;
echo "<hr>";
echo `ls -la `;
echo "<hr>";
?>
</pre>
Код: Выделить всё
WHOAMI: www
--------------------------------------------------------------------------------
total 44
drwxr-x--- 3 domain2 domain2 512 Aug 3 12:25 .
drwxr-xr-x 5 root wheel 512 Aug 2 21:21 ..
-rwxr-x--- 1 domain2 domain2 1016 Aug 2 21:21 .cshrc
-rwxr-x--- 1 domain2 domain2 254 Aug 2 21:21 .login
-rwxr-x--- 1 domain2 domain2 165 Aug 2 21:21 .login_conf
-rwxr-x--- 1 domain2 domain2 381 Aug 2 21:21 .mail_aliases
-rwxr-x--- 1 domain2 domain2 338 Aug 2 21:21 .mailrc
-rwxr-x--- 1 domain2 domain2 750 Aug 2 21:21 .profile
-rwxr-x--- 1 domain2 domain2 283 Aug 2 21:21 .rhosts
-rwxr-x--- 1 domain2 domain2 980 Aug 2 21:21 .shrc
drwxr-xr-x 5 root domain2 512 Aug 3 12:24 domain2
--------------------------------------------------------------------------------
# $FreeBSD: release/9.1.0/share/skel/dot.cshrc 242850 2012-11-10 06:05:04Z eadler $
#
# .cshrc - csh resource script, read at beginning of execution by each shell
#
# see also csh(1), environ(7).
# more examples available at /usr/share/examples/csh/
#
alias h history 25
alias j jobs -l
alias la ls -aF
alias lf ls -FA
alias ll ls -lAF
# A righteous umask
umask 22
set path = (/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin $HOME/bin)
setenv EDITOR vi
setenv PAGER more
setenv BLOCKSIZE K
if ($?prompt) then
# An interactive shell -- set some stuff up
if ($uid == 0) then
set user = root
endif
set prompt = "%n@%m:%/ %# "
set promptchars = "%#"
set filec
set history = 1000
set savehist = (1000 merge)
set autolist = ambiguous
# Use history to aid expansion
set autoexpand
set autorehash
set mail = (/var/mail/$USER)
if ( $?tcsh ) then
bindkey "^W" backward-delete-word
bindkey -k up history-search-backward
bindkey -k down history-search-forward
endif
endif
--------------------------------------------------------------------------------
total 48
drwxr-xr-x 5 root wheel 512 Aug 2 21:21 .
drwxr-xr-x 13 root wheel 1024 Aug 3 10:22 ..
drwxr-x--- 3 domain2 domain2 512 Aug 3 12:25 domain2
drwxr-x--- 4 domain1 domain1 512 Aug 3 00:11 domain1
--------------------------------------------------------------------------------
total 19972
drwxr-x--- 30 domain1 domain1 1536 Aug 3 22:12 .
drwxr-x--- 6 domain1 domain1 512 Aug 3 17:18 ..
-rwxr-x--- 1 domain1 domain1 260 Aug 3 22:12 test.php
--------------------------------------------------------------------------------
Зарание благодарен!
Спасибо!
