Re: About function OPEN

[Stas Bekman]

Kai wrote:
Hi list.
 I use Apache2.0+mod_perl_1.99+PHP on my server.
 I want to lend web space to user.But I found a big problem which I don't
know how to resolve it.
 for example ,
 user test1's home directory is /home/test1,he can't access other
directories or files via ftp.
 but ,if he uploads a simple script like following to his home directory ,
#!/usr/bin/perl
use CGI;
my $p=new CGI;
print $p->header;
open(HANDLE,"/etc/passwd");
while(<HANDLE>)
{
print "$_<BR>";
}
close(HANDLE);
 then ,via his cgi script through brower....

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
......
 By setting the file's attribute,the problem could be repaired.But ,if a CGI
file's permission was set to XX0,it can't run.
What's the problem? You don't want a user to be able to read files which it 
can read when logged in? This is not a mod_perl problem, you will have the 
same issues with mod_cgi. The only difference is that you can run mod_cgi 
under suexec, whereas mod_perl is run under the same user it was started with 
and cannot be switched per request.

 I am going to add a judgement to perl's function OPEN().if the file name
which was asked to open is begin with "/" or "../",perl can decline it.
 I dont know the perl's source code at all,so I am not sure if it is a good
idea.
You can't prevent this, because there are many other ways to read the file in. 
e.g.:

print `cat /etc/passwd`;

 Maybe there are some other ways to resolve this problem(I just heared
chroot,but I am not clear how to do).Would someone give me a hint?
 Any advise would be appreciated.
Yes, chroot is exactly the right thing. See:
http://perl.apache.org/search/swish.cgi?query=chroot&sbm=&submit=search
__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html